[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 and NAT traversal
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Ari" == Ari Huttunen <Ari.Huttunen@f-secure.com> writes:
Ari> For almost a year there has been discussion of whether to move this common
Ari> IKE and ESPUDP used in the encapsulation draft to a different port than 500,
I do not dispute that IKE must stay on port 500.
But, if JFK does not also run on port 500, then you have PRECISELY the same
problem that ESPUDP had with running NAT-IKE and/or ESPUDP on a different port.
Ari> The second constraint was the attempt to save bandwidth by reducing the amount
Ari> of NAT keepalive packets by using one port, instead of a two port model, like
Ari> I presented in my first draft a year ago. Unfortunately the constraint of not
So, if you solve the JFK is on a different port and you need to try both
IKEv1 and JFK and figure out also if you have NAT in the way, then you still
have this two-port problem and restarting stuff.
Of course, JFK with no phase 1 to keepalive can just let the NAT time out on that.
If the answer is "of course you know by policy whether to use JFK or
IKEv2", then I would ask why your policy doesn't tell you lots of other
things, like if you have NAT or not. The pre-arrangement argument only
applies to road warrior scenarios.
Ari> There's another reason than IKEv2 swapping the cookies to use a port that is
Ari> not 500. It's that many of the NAT boxes seem to attempt to do intelligent
Ari> stuff for IKE, and this causes them to break when ESPUDP is flowing through them,
Ari> because they get confused with 'zero cookies'. My American co-authors have more
Ari> exact information about this.
What a hoot! The NATs are screwing up kludge used by ESPUDP!
That wouldn't happen if the data was kept seperate.
Kludges are kludges are kludges.
As the ESPUDP drafts are not RFCs yet, I also accept that it has been "IETF
sanctioned" yet.
Ari> This is an interesting question. I also used to consider a protocol just
Ari> a contract between Ari and Bob, who wish to communicate. However, there's
Ari> Ned in the middle who wishes to 'do stuff' to the protocol while it is
Ari> in transit. If we consider that doing NAT is a valid thing to do, are
Ari> Ari and Bob free to change the protocol so that Ned's implementation fails?
End-to-end model arguments applies.
Good protocol design arguments applies.
This is just another reason to get ESPUDP off of port 500.
(And to get JFK onto port 500, even if the HDR is totally phony)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPBe1goqHRg3pndX9AQEC2QQAkizaMokJ6tBoOOP7pPTmM9sgzYVQAm8D
CELGvLpwchjhbc772q5ua39HckIbcpR1j/zVmjfXqiRdi6tOUZLtCL33KimlpN0E
CopPK6BrCyPCJK62IZNBatxxdPfuDRDlLHB+NXmVwerg927PqmZlCfclZCI7/0TY
kx5sJXCRs/E=
=ItYQ
-----END PGP SIGNATURE-----
Follow-Ups:
References: