[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Change of SA source IP address

To: ipsec@lists.tislabs.com
Subject: Re: Change of SA source IP address
From: Joern Sierwald <joern@f-secure.com>
Date: Tue, 10 Dec 2002 18:17:27 +0100
In-Reply-To: <59A36C4D2F9E7243BEB522274F72C30389B63A@mvebe001.americas.nokia.com>
Sender: owner-ipsec@lists.tislabs.com

At 07:28 10.12.2002 -0800, you wrote:
>I would like to send a general question out to see how the different 
>implementations would react against such event.
>
>I am trying to deal with a case were the SRC address of a outgoing SA may 
>change. It could be due to several reasons (route/interface change, failover).
>
>How is/should the remote peer react against such event?
>
>In case of an IPsec-aware NAT device. Would it change the src IP address?
>
>thank you very much,
>marc.

OK, this is for today's IPv4. mobile IPv6 is another story, I will not talk 
about that.

change of the SRC address is a rather common thing if you do ipsec through
a NAT device. The ESP packet will be UDP-encapsulated. Tunnel mode is used.
If the client fails do send traffic for some time, the NAT device forgets 
about the
mapping and the next ipsec packet will create a new mapping.

How should the peer react?

Since an ipsec device can choose the SPI for it's incoming traffic,
it is easy to identify the SA only by the SPI of the packet.
Do the replay check. Do the integrity check. If that succeeds, you'll
send future ipsec traffic with the counterpart (outgoing) SA to the new
IP address (and the new ESPoUDP port).

We have implemented further checks. For instance, if the client used an IP
address for Phase 1 ID, we do not allow an IP address change.

J–rn

References:
- Change of SA source IP address
  - From: Marc.Solsona@nokia.com

Prev by Date: Re: (more#4 fwd from ipsec) Re: Handling of IPcomp in IKEv2
Next by Date: Re: speaking of keys
Prev by thread: Change of SA source IP address
Next by thread: RE: speaking of keys
Index(es):
- Date
- Thread