[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ike source port (was: issues with IKE that need resolution)
> Is it ok for the source port for IKE to be something other than
> port 500?
One thing to keep in mind is that ISAKMP is a peer-to-peer protocol that
isn't restricted to just client-to-server types of interaction. In host-
to-host or gateway-to-gateway scenarios, typically either peer can be
either the initiator or the responder. If Host A is sitting behind a NAT
box, and that NAT box does dynamic address and port translation, and
Host B wants to establish an SA with Host A, how is Host B going to know
the address and port number to which it should send that first ISAKMP
message?
My biggest concern is that making a "fix" to allow any source port to
initiate ISAKMP traffic - make that a change to mandate that ISAKMP
responders respond to ports other than 500, which isn't a requirement
currently - is going to give people the false impression that doing
so magically fixes the "IPSEC/NAT problem" across the board, when in
fact it only addresses part of the problem for only a subset of the
possible scenarios where IPSEC can be used - the subset where there is
a strict client-to-server, initiator-to-responder assignment of roles
that doesn't ever change. I don't want to have to try to explain to
someone why the NAT box they just installed breaks IPSEC communications
in some cases but not in others.
>[...] Allowing the source port to vary does not
>seem to have security implications, because source and destination
>ports are already included in the hash. [...]
Actually, source and destination ports (those in the UDP header at
least) aren't included in any of the IKE hash calculations.
-Shawn Mamros
E-mail to: smamros@BayNetworks.com
Follow-Ups: