[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



On Wed, 6 Mar 2002, Tero Kivinen wrote:
> 
> > >    Solution 2:
> > >      By standardizing different UDP port for encapsulating ESP/AH traffic,
> > >      it works through all existing NATs (supporting ESP ALG or not).
> > >      One disadvantage is that it requires changes to IKE/IPSEC
> > >      implementations.
> > >
> > >      By having different UDP port, the overhead also comes down by
> > >      8 bytes. But, one more keepalive timer is required to make
> > >      the NAT session alive.
> 
> Actually if we move the IKE SA traffic at the same time to the new
> port also then we only need to keep that mapping up.
> 
> This would happen that in the middle of the main mode or after the
> main mode, when the initiator knows it is behind NAT it moves all
> traffic to new port and let the port 500 mapping to die. All traffic
> then happens with this new port. To get the overhead down we can
> defined the new port usage so that IKE payloads are identified with 4
> bytes of 0 in beginning (i.e the ESP spi field), and the IKE packet
> starts after that.
> 
> This makes things little more complicated and the responder needs to
> update the IKE SA ip and port numbers when it sees the same IKE SA
> cookies it did see previously but from different ip address and port.
> 
> I think Dixon has some kind of draft about this, but I don't know the
> current status of it (I think it waits for me to incorporate it to
> draft-ietf-ipsec-nat-t-ike-01.txt :-)
> 
> The reason we don't want directly to start from different port is that
> that would require either long initial timeout in case the other end
> does not support new NAT-T (i.e we send packets to port xxxx, but the
> other end will ignore them and then we fall back to port 500), or we
> consume more resources by starting two negotiations at the same time
> one in port 500 and one in port xxxx, and the NAT-T aware
> implementation would propably answer to both...
> 

IKE still can use port 500. I am suggesting that ESP/AH use some
other port xxxx as suggested in 5.2 section of
draft-ietf-udp-encaps-01.txt.

This will reduce the packet overhead for ESP packets to 8 bytes
and it works with NAT boxes which already implemented ESP/IKE 
passthrough.

Regards
Srini

-- 
Srinivasa Rao Addepalli
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
USA
Ph: 408-844-0480 x317