[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
The NAT scenario being discussed here is:
Initiator----------NAT device---------------Responder
srcIP=ID=IP1 ID=IP1 ID=IP1
srcIP=IP2 srcIP=IP2
An intermediate device has changed the srcIP address from IP1 to IP2, and
the responder uses the changed IP address, to search the pre-shared key,
and ignore the ID which is unchanged, and also protected.
This only works for static NAT, and does not work Dynamic for NAT, or NAT
overload.
The initiator is trying to autenticate to the responder using
ID=SrcIP=IP1, but the resoponder is authenticating the initiator as
SrcIP=IP2.
Is this acceptable, or should we enforce that ID and the IP address used
should be equal?
TIA,
chinna
On Fri, 3 Dec 1999, Stephen Kent wrote:
> I hate to jump in late to this discussion, as I may have lost the
> context. There is a big difference between asserting an address as an
> identity in the IP header, vs. asserting it in an IKE exchange, IF
> one uses certificates to authenticate the asserted identity in IKE.
> One can imagine several PKI scenarios that would enable one to have
> reasonable confidence in a cert issued for an address.
>
> Steve
>
chinna narasimha reddy pellacuru
s/w engineer
Follow-Ups:
References: