[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Performance



Alex Alten wrote:
> 
> At 10:59 PM 12/7/2001 -0500, Steven M. Bellovin wrote:
> >In message <001a01c17f9b$6d251610$1e72788a@andrewk3.ca.newbridge.com>,
> "Andrew
> >Krywaniuk" writes:
> >>
> >>Here's a question. Have the authors of JFK given any thought to how (if?)
> >>they will incorporate NAT-traversal? With IKEv2, the already completed
> >>drafts from IKEv1 can be presumably carried forward.
> >
> >JFK doesn't rely on IP addresses at all -- it can pass through NATs
> >just fine.
> >
> 
> Wow!  Now I am interested in reading the draft.  Since IP addresses are so
> ephemeral and insecure this, if designed correctly, would be a fundamental
> step forward.

IKEv1 also goes through NATs just fine when you don't use IP address based
identities; it's ESP and AH that don't.

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise


Follow-Ups: References: