Re: NAT and IPsec

[Ari Huttunen <Ari.Huttunen@F-Secure.com>]

Jari Arkko wrote:
> 
> Joern writes:
> 
> > >* Would it be simpler to just use a client-initiated
> > >  ping as needed rather than a special-case heartbeat
> > >  packets as in two of the drafts?
> >
> > There are two UDP ports here... IKE and ESPoverUDP.
> > With the ping you only keep ESPoverUDP alive.
> 
> Ah. Yes. Does somebody have an idea how long a large NAT's UDP
> session storage lasts, typically?
> 
> Note that if you were to encapsulate both IKE and ESP to the
> same UDP port number (2797) then there'd be a need to keep
> just that alive, either with the ping or with the empty IKE message
> you suggested.

This is of course possible. However, I strongly believe that we should
allow the firewall administrator an easy way to distinguish between
two types of traffic. If this wasn't necessary, we could just make
an RFC that every traffic must be passed along TCP port 80.

It is also possible to define a method to negotiate the used port.
I didn't try to define this, since it just makes the thing more
complicated.

Ari

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

---

References:

• Re: NAT and IPsec
• From: Joern Sierwald <joern.sierwald@F-Secure.com>
• Re: NAT and IPsec
• From: "Jari Arkko" <jari.arkko@kolumbus.fi>

---

• Prev by Date: Re: NAT and IPsec
• Next by Date: Re: NAT and IPsec
• Prev by thread: Re: NAT and IPsec
• Next by thread: Re: NAT and IPsec
• Index(es):
  • Main
  • Thread