[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 and NAT traversal
mcr@sandelman.ottawa.on.ca (Michael Richardson) writes:
> >>>>> "Sami" == Sami Vaarala <sami.vaarala@netseal.com> writes:
> Sami> The UDP encapsulation draft assumes that IKE packets never begin with
> Sami> eight zero bytes, whereas in IKEv2 the first eight bytes are the recipient
> Sami> SPI (cookie) (which is potentially zero).
>
> Sami> Since IKEv2 also runs on port 500, this seems like a problem.
> Since that NAT people insisted on running on the same port using a
> terrible hack to get around a number of imaginary problems, frankly, I
> think that this is the NAT people's problem.
I'm tired of reiterating same stupid arguments over and over. See
draft-ietf-ipsec-udp-encaps-justification-00.txt section 7.2.
> BTW: if we pick JFK, and the JFK people appear to feel strongly that they
> should run on a different port than 500, all of the "use the same port"
> arguments have become moot.
No. See above.
> Further, I think that IKE has the right to change things with the cookie
> values at any time.
>
> You made this kludge, now lie in it.
NAT-traversing IPsec is IETF-sancioned kludge to deal with another
IETF-sanctioned kludge (NATs).
I'd find the world a lot happier place without NATs. However, I find it
likely that IPsec is the one to die if it doesn't live with NATs, and not
the NATs, regrettably.
> ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
> ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-Markus
--
Markus Stenberg <stenberg@ssh.com> of SSH Communications Security (www.ssh.com)
Chief Engineer / SSH 囲碁先生
Follow-Ups: