Re: a proposal of address management for IKEv2

[Tero Kivinen <kivinen@ssh.fi>]

Francis Dupont writes:
>    If the this stays static it will leak out information (i.e make the
>    tracking of user easy). Also you assume that the client will know if
>    there is NAT beteen (i.e use secret peer address only when there is
>    NAT, and otherwise use normal address). If there is no NAT then client
>    must use his own address otherwise we enable NAT-T every time. 
>    
> => if there is no NAT the secret address will be as it in the packet
> header and no more secret. So I assume that when someone wants to
> keep it address secret it begins by insert a NAT in the path...

Yes, but the client does not know if there is NAT between before it is
tested, and it might not know if the address is secret or not if it is
given by dhcp. If we give out the static address always in the nat
discovery protocol then there is no way to keep that address secret.
That was the reason the addresses are hashed in the NAT-T draft. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/