[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments regarding IPsec NAT traversal / new proposal

AH> ASSUMPTION: We do *not* wish to use the same UDP port for both IKE and
AH> IPsec traffic encapsulated in UDP. This is because we'd loose the possibility
AH> to filter these traffic types separately in a firewall. For this purpose we've
AH> reserved the port 2797 from IANA.
This should be a default with an option to modify at the remote system/initiator. The
reasoning is that port 2797 may not be typically open in foreign networks, in that event
the initiator can request to establish the session over a common port (i.e. 53) that is
typically open on firewalls.

AH> In particular, the method of negotiating and setting up UDP encapsulation as
AH> defined in draft-stenberg-ipsec-nat-traversal-00.txt is too complex. We propose the following
AH> mechanism for discussion:
AH> 1) IKE phase 1 is not modified.
AH> 2) IKE phase 2 adds a new protocol ID,
AH>        Protocol ID                         Value
AH>        -----------                         -----
AH>        RESERVED                            0
AH>        PROTO_ISAKMP                        1
AH>        PROTO_IPSEC_AH                      2
AH>        PROTO_IPSEC_ESP                     3
AH>        PROTO_IPCOMP                        4
AH>        PROTO_IPSEC_ESP_OVER_UDP            X

Agreed - however, your assuming IKE will survive NAT. Will this affect the available
authentication mechanisms?