[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



Note that you need to keep both the IKE and 'ESPoUDP' connections
alive.  If you move 'ESPoUDP' to a different port without moving
the IKE session, you now have two ports that you need to keep open.

You need to keep IKE open in order to allow notify and rekey messages
through.

The suggestion has been made to move to keep IKE phase-1 as-is but if
NAT is detected to move both IKE-phase-2 and ESPoUDP to a new port and
reverse the sense of the port, such that ESP traffic requires no extra
overhead (beyond the UDP header) and IKE traffic requires a four-byte
overhead to indicate its IKE.

Personally I like this idea; it seems to be the best of both worlds.
You negotiate in IKE as normal, detect the presense of NAT as defined
by the NAT-D payloads, and then 'move' the IKE/ESP session to a new
port for ESPoUDP encapsulation.

-derek

Srinivasa Addepalli <srao@intotoinc.com> writes:

> IKE still can use port 500. I am suggesting that ESP/AH use some
> other port xxxx as suggested in 5.2 section of
> draft-ietf-udp-encaps-01.txt.
> 
> This will reduce the packet overhead for ESP packets to 8 bytes
> and it works with NAT boxes which already implemented ESP/IKE 
> passthrough.
> 
> Regards
> Srini
> 
> -- 
> Srinivasa Rao Addepalli
> Intoto Inc.
> 3160, De La Cruz Blvd #100
> Santa Clara, CA
> USA
> Ph: 408-844-0480 x317
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com