Re: ike source port (was: issues with IKE that need resolution)

[Gabriel Montenegro <gab@Eng.Sun.Com>]

> > > > 	Is it ok for the source port for IKE to be something other than
> > > > 	port 500?
> > > > 
> > > > Hopefully it is ok, as this eases ipsec across NAT boxes
> > > 
> > > Whoa!  Cognitive dissonance!
> > > 
> > To be clear, the NAT box Gabriel is refering to is a Host NAT server.
> > Host NAT server does not perform any address or port translation. 
> > Hope this helps.
> > 
> > cheers,
> > suresh
> 
> If so, then whence the term "NAT"?  Per RFC 1631 a NAT does address/port
> translation. 

Ok, wrong terminology. I should've said across some boxes. I was actually
referring to a NAR (negotiated address reuse) server. I agree with
Bill Manning that what Suresh describes above as Host "NAT" is not
NAT at all, because, as he describes it, it performs no translation.

The mechanism itself is tunneling based. This is very similar to what
a co-located mobile node does when sending packets back via a reverse
tunnel in mobileip. Nothing new there, certainly no network address
translation.

Having said that, it is possible to still retain some translation
of the outermost IP header (and NAR allows this),
but only if the traffic being shuttled through the border device
(NAR server, whatever you wish to call it) is tunnel mode ESP.

No translation is possible if the traffic
is AH (any mode) or transport mode ESP, as these cryptographically
protect the outer IP header from being modified.

-gabriel

---

References:

• Re: ike source port (was: issues with IKE that need resolution)
• From: bmanning@isi.edu

---

• Prev by Date: RE: issues with IKE that need resolution
• Next by Date: Re: ike source port (was: issues with IKE that need resolution)
• Prev by thread: Re: ike source port (was: issues with IKE that need resolution)
• Next by thread: Re: ike source port (was: issues with IKE that need resolution)
• Index(es):
  • Main
  • Thread