[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Derek Atkins <derek@ihtfp.com>
Subject: Re: NAT Traversal
From: Srinivasa Addepalli <srao@intotoinc.com>
Date: Fri, 8 Mar 2002 15:41:13 -0800 (PST)
cc: Tero Kivinen <kivinen@ssh.fi>, ipsec@lists.tislabs.com
In-Reply-To: <sjmvgc91kt6.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com


  This seems good to me. Initially, I was thinking of using new port
  only for ESP. But that has problem of initiating the keep alive
  from the initiator (upon quick mode is completed) so that NAT session is
  created for new port in the NAT box. Source port field of UDP carrying
  quick mode and ESP packets should be same as source port used by
  phase1 exchange. If that is the case, I don't see any problem whether
  it is site-to-site connectivity or telecommuter-to-site connectivity.

Srini

   

On 6 Mar 2002, Derek Atkins wrote:

> Note that you need to keep both the IKE and 'ESPoUDP' connections
> alive.  If you move 'ESPoUDP' to a different port without moving
> the IKE session, you now have two ports that you need to keep open.
> 
> You need to keep IKE open in order to allow notify and rekey messages
> through.
> 
> The suggestion has been made to move to keep IKE phase-1 as-is but if
> NAT is detected to move both IKE-phase-2 and ESPoUDP to a new port and
> reverse the sense of the port, such that ESP traffic requires no extra
> overhead (beyond the UDP header) and IKE traffic requires a four-byte
> overhead to indicate its IKE.
> 
> Personally I like this idea; it seems to be the best of both worlds.
> You negotiate in IKE as normal, detect the presense of NAT as defined
> by the NAT-D payloads, and then 'move' the IKE/ESP session to a new
> port for ESPoUDP encapsulation.
> 
> -derek
> 
> Srinivasa Addepalli <srao@intotoinc.com> writes:
> 
> > IKE still can use port 500. I am suggesting that ESP/AH use some
> > other port xxxx as suggested in 5.2 section of
> > draft-ietf-udp-encaps-01.txt.
> > 
> > This will reduce the packet overhead for ESP packets to 8 bytes
> > and it works with NAT boxes which already implemented ESP/IKE 
> > passthrough.
> > 
> > Regards
> > Srini
> > 
> > -- 
> > Srinivasa Rao Addepalli
> > Intoto Inc.
> > 3160, De La Cruz Blvd #100
> > Santa Clara, CA
> > USA
> > Ph: 408-844-0480 x317
> > 
> 
> 

-- 
Srinivasa Rao Addepalli
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
USA
Ph: 408-844-0480 x317

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: Re: Problem about reassembly and fragmentation
Next by Date: Re: Problem about reassembly and fragmentation
Prev by thread: Re: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread