RE: using ip-based cert. in NAT-T

["William Dixon" <wdixon@windows.microsoft.com>]

Mohammad, are you making a comment or asking questions about the NAT-T
drafts, or asking a question to help with some other kind of
implementation ?

Where did you see this technique ? "This NAT-ID will be included in the
options fields of the IP header of the NATed packet." The current
upd-encaps draft does not do this.

RFC 2401 doesn't describe any requirements for integration with DNS IP
mappings for IPsec in general.  So anything you invent with respect to a
dependency on DNS containing mappings is implementation-defined, and
thus not dealt with by the NAT-T drafts.  Certainly DNS has definitions
for records to contain the public key associated with a name or an IP
address, and if your DNS supports that it may also support multiple
public key records for that IP address vs. just one.

There is no requirement to use an IP address in the certificate for IKE.
Thus The IKE Main Mode ID type often depends upon the IPsec policy
system being used - which is an implementation choice of the IPsec
vendor.  Obviously for dynamic IP address clients, putting the IP in the
cert doesn't make much sense.  2401 does suggest that a gateway can
lookup the DNS name for a dynamic client as long as dynamic DNS is being
used, however, it's unclear if the DNS update will replicate fast enough
in the authority servers to service gateway's request, or what to do
when DNS entries are not made at all.  Again, this is IPsec policy
defined by the implementation.  For routers or static servers, it may
make sense if you can have multiple certs on the router each with a
router's IP address, use multiple IP addresses in the SubjectAltName or
can deal with updating the credential when the IP address of the router
changes.  Does the cert have an EKU that indicates an OID for IPsec
usage ?  If not, then is the PKI issuer authorized to claim an IP
address for the machine in the cert it issues ?  

Given those issues, and the difficulty of PKI in general, I don't see IP
addresses in a certificate viable for most cases, only a very few uses
of IPsec.  But it's certainly allowed.

The use of an IP address in the IKE quick mode SA Proxy ID is
specifically dealt with in 

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt


-----Original Message-----
From: Mohammad Awad [mailto:maa1074@hotmail.com] 
Sent: Saturday, September 28, 2002 12:58 PM
To: ipsec@lists.tislabs.com
Subject: using ip-based cert. in NAT-T


Neither the internal IPs nor their certificates can be registered in the

DNS. This makes the other peer which is negotiating IKE main mode with
the 
NATed host, uses a certificate with subject rather than the IP to (may
be 
FQDN) to authenticate the NATed host, which may be less secure. What if
the internal hosts behind the NAT can -somehow- register their 
certificates in the DNS with an approach like this:
Each NATed host will be provided an identifier that is unique amongst
the 
NATed hosts behind one NAT (ie, those hosts having the same external
IP). 
This NAT-ID will be included in the options fields of the IP header of
the 
NATed packet. Another RR.s in the DNS are to be added, with extensions
to 
hold that NAT-ID, one RR record for each NATed host.
Then the certificates can be registered in that RR NAT record and used
by 
the remote peer to obtain the certificate of the NATed host. how do you
find that approach?




_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail. 
http://www.hotmail.com