[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suggested clarification regarding port handling in ike

To: "Dan Harkins" <dharkins@network-alchemy.com>
Subject: Re: suggested clarification regarding port handling in ike
From: Gabriel.Montenegro@Eng.Sun.Com (Gabriel Montenegro)
Date: Sun, 21 Nov 1999 10:31:09 -0800
Cc: <carrel@rback.net>, <ipsec@lists.tislabs.com>, <tytso@mit.edu>
Reply-To: <gab@sun.com>
Sender: owner-ipsec@lists.tislabs.com

Thanks for your response Dan:
>> 	IKE implementations MUST support UDP port 500 for both source
>> 	and destination, but other port numbers are also allowed.
>> 	If an implementation allows other-than-port-500 for IKE,
>> 	it sets the value of the port numbers as reported in the 
>> 	ID payload to 0 (meaning "any port"), instead of 500. UDP port numbers
>> 	(500 or not) are handled by the common "swap src/dst port and reply" 
>> 	method. 
>
>IKE uses ISAKMP as a transport and it seems to me that any verbage
>needed to clarify the use of that transport should go in a son-of-ISAKMP
>draft. 

i hate to admit it, but i tend to agree with you here. the only reason
i suggested putting in ike is that it is currently under revision,
whereas isakmp is not. unless, of course, ted and the isakmp folks
know something we don't. i don't think this clarification justifies
opening up isakmp or doi again, so if it doesn't go in the new ike,
it probably won't make it anywhere.

ted? perhaps an addition to section 2.5.1 (transport protocol) in 
isakmp (rfc2408)? btw, there's also related text in the DOI.

>In addition, the ID payloads are typically exchanged so late in
>the exchange that this information would not be useful. A Main Mode
>exchange will have 4 packets be exchanged before the Responder would
>obtain the Initiator's ID payload informing him that the Initiator
>allows for an other-than-port-500 port.

there's some confusion here. this stuff actually works. this is how
people test with the ssh test facility in finland (see tero's
recent posting), for example, and the
"other-than-port-500" combined with the "swap src/dst port and reply"
actually works today (heck, it even works across network address
and port translation--i know of someone who tests his ike
implementation across such a box). 

perhaps you got confused because you expect the above blurb to cover
the very important but orthogonal problem of *advertising* the
value of the other-than-port-500. it doesn't. somehow, you've got
to do that part. the above blurb just says that after you've
set up an ike responder on some other-than-500 port, and made that
known by whatever means, this is how things work. again, it's not
meant to specify new behavior, but simply to document what appears
to be the common practice. 

-gabriel

Follow-Ups:

Re: suggested clarification regarding port handling in ike

From: tytso@mit.edu

Prev by Date: Re: FIPS 186 and X9.42: One of these things is not like the other
Next by Date: RE: FIPS 186 and X9.42: One of these things is not like the other
Prev by thread: Re: suggested clarification regarding port handling in ike
Next by thread: Re: suggested clarification regarding port handling in ike
Index(es):
- Main
- Thread