[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Son-of-IKE Performance
Alex Alten wrote:
>
> At 10:59 PM 12/7/2001 -0500, Steven M. Bellovin wrote:
> >In message <001a01c17f9b$6d251610$1e72788a@andrewk3.ca.newbridge.com>,
> "Andrew
> >Krywaniuk" writes:
> >>
> >>Here's a question. Have the authors of JFK given any thought to how (if?)
> >>they will incorporate NAT-traversal? With IKEv2, the already completed
> >>drafts from IKEv1 can be presumably carried forward.
> >
> >JFK doesn't rely on IP addresses at all -- it can pass through NATs
> >just fine.
> >
>
> Wow! Now I am interested in reading the draft. Since IP addresses are so
> ephemeral and insecure this, if designed correctly, would be a fundamental
> step forward.
IKEv1 also goes through NATs just fine when you don't use IP address based
identities; it's ESP and AH that don't.
Ari
--
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise
Follow-Ups:
References: