[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments regarding IPsec NAT traversal / new proposal
AH> ASSUMPTION: We do *not* wish to use the same UDP port for both IKE and
AH> IPsec traffic encapsulated in UDP. This is because we'd loose the possibility
AH> to filter these traffic types separately in a firewall. For this purpose we've
AH> reserved the port 2797 from IANA.
This should be a default with an option to modify at the remote system/initiator. The
reasoning is that port 2797 may not be typically open in foreign networks, in that event
the initiator can request to establish the session over a common port (i.e. 53) that is
typically open on firewalls.
AH> In particular, the method of negotiating and setting up UDP encapsulation as
AH> defined in draft-stenberg-ipsec-nat-traversal-00.txt is too complex. We propose the following
AH> mechanism for discussion:
AH> 1) IKE phase 1 is not modified.
AH> 2) IKE phase 2 adds a new protocol ID,
AH> Protocol ID Value
AH> ----------- -----
AH> RESERVED 0
AH> PROTO_ISAKMP 1
AH> PROTO_IPSEC_AH 2
AH> PROTO_IPSEC_ESP 3
AH> PROTO_IPCOMP 4
AH> PROTO_IPSEC_ESP_OVER_UDP X
Agreed - however, your assuming IKE will survive NAT. Will this affect the available