Re: matching GW addr to ID payload (fwd)

["CHINNA N.R. PELLACURU" <pcn@cisco.com>]

The NAT scenario being discussed here is:

Initiator----------NAT device---------------Responder
srcIP=ID=IP1        ID=IP1                  ID=IP1
                    srcIP=IP2               srcIP=IP2

An intermediate device has changed the srcIP address from IP1 to IP2, and
the responder uses the changed IP address, to search the pre-shared key,
and ignore the ID which is unchanged, and also protected.

This only works for static NAT, and does not work Dynamic for NAT, or NAT
overload.

The initiator is trying to autenticate to the responder using
ID=SrcIP=IP1, but the resoponder is authenticating the initiator as
SrcIP=IP2.

Is this acceptable, or should we enforce that ID and the IP address used
should be equal?

TIA,
chinna

On Fri, 3 Dec 1999, Stephen Kent wrote:

> I hate to jump in late to this discussion, as I may have lost the 
> context. There is a big difference between asserting an address as an 
> identity in the IP header, vs. asserting it in an IKE exchange, IF 
> one uses certificates to authenticate the asserted identity in IKE. 
> One can imagine several PKI scenarios that would enable one to have 
> reasonable confidence in a cert issued for an address.
> 
> Steve
> 

chinna narasimha reddy pellacuru
s/w engineer

---

Follow-Ups:

• Re: matching GW addr to ID payload (fwd)
• From: Slava Kavsan <bkavsan@ire-ma.com>

References:

• Re: matching GW addr to ID payload (fwd)
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: matching GW addr to ID payload (fwd)
• Next by Date: Re: matching GW addr to ID payload (fwd)
• Prev by thread: Re: matching GW addr to ID payload (fwd)
• Next by thread: Re: matching GW addr to ID payload (fwd)
• Index(es):
  • Main
  • Thread