[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 and NAT traversal



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ari" == Ari Huttunen <Ari.Huttunen@f-secure.com> writes:
    Ari> For almost a year there has been discussion of whether to move this common
    Ari> IKE and ESPUDP used in the encapsulation draft to a different port than 500,

  I do not dispute that IKE must stay on port 500.

  But, if JFK does not also run on port 500, then you have PRECISELY the same 
problem that ESPUDP had with running NAT-IKE and/or ESPUDP on a different port.

    Ari> The second constraint was the attempt to save bandwidth by reducing the amount
    Ari> of NAT keepalive packets by using one port, instead of a two port model, like
    Ari> I presented in my first draft a year ago. Unfortunately the constraint of not

  So, if you solve the JFK is on a different port and you need to try both
IKEv1 and JFK and figure out also if you have NAT in the way, then you still
have this two-port problem and restarting stuff. 
  Of course, JFK with no phase 1 to keepalive can just let the NAT time out on that.

  If the answer is "of course you know by policy whether to use JFK or
IKEv2", then I would ask why your policy doesn't tell you lots of other
things, like if you have NAT or not. The pre-arrangement argument only
applies to road warrior scenarios.
  
    Ari> There's another reason than IKEv2 swapping the cookies to use a port that is
    Ari> not 500. It's that many of the NAT boxes seem to attempt to do intelligent
    Ari> stuff for IKE, and this causes them to break when ESPUDP is flowing through them,
    Ari> because they get confused with 'zero cookies'. My American co-authors have more
    Ari> exact information about this.

  What a hoot! The NATs are screwing up kludge used by ESPUDP! 

  That wouldn't happen if the data was kept seperate.

  Kludges are kludges are kludges.
  
  As the ESPUDP drafts are not RFCs yet, I also accept that it has been "IETF 
sanctioned" yet.

    Ari> This is an interesting question. I also used to consider a protocol just
    Ari> a contract between Ari and Bob, who wish to communicate. However, there's
    Ari> Ned in the middle who wishes to 'do stuff' to the protocol while it is
    Ari> in transit. If we consider that doing NAT is a valid thing to do, are
    Ari> Ari and Bob free to change the protocol so that Ned's implementation fails?

  End-to-end model arguments applies.
  Good protocol design arguments applies.
  
  This is just another reason to get ESPUDP off of port 500.
  (And to get JFK onto port 500, even if the HDR is totally phony)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPBe1goqHRg3pndX9AQEC2QQAkizaMokJ6tBoOOP7pPTmM9sgzYVQAm8D
CELGvLpwchjhbc772q5ua39HckIbcpR1j/zVmjfXqiRdi6tOUZLtCL33KimlpN0E
CopPK6BrCyPCJK62IZNBatxxdPfuDRDlLHB+NXmVwerg927PqmZlCfclZCI7/0TY
kx5sJXCRs/E=
=ItYQ
-----END PGP SIGNATURE-----


Follow-Ups: References: