Re: IKEv2 and NAT traversal

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Sami" == Sami Vaarala <sami.vaarala@netseal.com> writes:
    Sami> The UDP encapsulation draft assumes that IKE packets never begin with
    Sami> eight zero bytes, whereas in IKEv2 the first eight bytes are the recipient
    Sami> SPI (cookie) (which is potentially zero).

    Sami> Since IKEv2 also runs on port 500, this seems like a problem.

  Since that NAT people insisted on running on the same port using a terrible 
hack to get around a number of imaginary problems, frankly, I think that this
is the NAT people's problem.

  BTW: if we pick JFK, and the JFK people appear to feel strongly that they
should run on a different port than 500, all of the "use the same port"
arguments have become moot.

  Further, I think that IKE has the right to change things with the cookie
values at any time. 

  You made this kludge, now lie in it.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [






-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPBZn14qHRg3pndX9AQEsxwP/TXCbRsSK/79/8V52M4c5spYxiij6koky
HGtnFFG4E/3ox3AeZxbomjRvhuTPfLzZXAxgkzRXUJCN8azlNGqbTxAryIgvbzET
EdqpwLUIrVyenaTYPDEjfXzy0kXNa0nMg3W8KmlObW0aCVmIcXRwSTkvwIPGSuYA
IZJNcHlPEGQ=
=pwYd
-----END PGP SIGNATURE-----

---

Follow-Ups:

• Re: IKEv2 and NAT traversal
• From: Ari Huttunen <Ari.Huttunen@f-secure.com>

References:

• IKEv2 and NAT traversal
• From: Sami Vaarala <sami.vaarala@netseal.com>

---

• Prev by Date: RE: IKEv2 and SIGMA
• Next by Date: vendorid text in ikev2 draft
• Prev by thread: IKEv2 and NAT traversal
• Next by thread: Re: IKEv2 and NAT traversal
• Index(es):
  • Main
  • Thread