[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 and NAT traversal
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Sami" == Sami Vaarala <sami.vaarala@netseal.com> writes:
Sami> The UDP encapsulation draft assumes that IKE packets never begin with
Sami> eight zero bytes, whereas in IKEv2 the first eight bytes are the recipient
Sami> SPI (cookie) (which is potentially zero).
Sami> Since IKEv2 also runs on port 500, this seems like a problem.
Since that NAT people insisted on running on the same port using a terrible
hack to get around a number of imaginary problems, frankly, I think that this
is the NAT people's problem.
BTW: if we pick JFK, and the JFK people appear to feel strongly that they
should run on a different port than 500, all of the "use the same port"
arguments have become moot.
Further, I think that IKE has the right to change things with the cookie
values at any time.
You made this kludge, now lie in it.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPBZn14qHRg3pndX9AQEsxwP/TXCbRsSK/79/8V52M4c5spYxiij6koky
HGtnFFG4E/3ox3AeZxbomjRvhuTPfLzZXAxgkzRXUJCN8azlNGqbTxAryIgvbzET
EdqpwLUIrVyenaTYPDEjfXzy0kXNa0nMg3W8KmlObW0aCVmIcXRwSTkvwIPGSuYA
IZJNcHlPEGQ=
=pwYd
-----END PGP SIGNATURE-----
Follow-Ups:
References: