[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike source port (was: issues with IKE that need resolution)



"Thomas Narten" <narten@raleigh.ibm.com> wrote:

> If I read this correctly, some of the IKE payloads include the source
> port in the cryptographic hash. If so, seems like IKE will have
> problems running through a NAT box. When NAT changes the source port,
> its value at the receiver will not be correct relative to the hash,
> and the receiver will toss the packet as invalid.
> 
> Or am I missing something?

It's kinda tricky, I think it would not break because
the hash uses the value of the port reported in the ID
payload. Notice that the hash does not actually use the
real port number out on the IP header. 

But the port number in the ID payload should really agree with 
the port number in the IP header.

In order to do this, the client and the N-- box
negotiate a port number that is agreeable to both in advance.
The client would then compose the packet using an address
borrowed from the N-- box (perhaps N--'s own ip address) and the
negotiated port. 

So by preparing the right packet in advance, there is no need
for translation at the N-- box (it's no longer a NAT box, as there
is no translation).

However, current IKE/DOI only allow port 500 (or 0) in the
id payload.

-gabriel