[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2: prepending four octets

To: Yoav Nir <ynir@CheckPoint.com>
Subject: Re: IKEv2: prepending four octets
From: Ravi <ravivsn@roc.co.in>
Date: Thu, 20 Mar 2003 15:16:59 +0530
CC: ipsec@lists.tislabs.com
References: <002f01c2edee$f26b8fd0$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Title:

Hi.

Yoav Nir wrote:

The IKEv1 RFC mandated that IKE communications be from port 500 to port 500.
It states that replies to an IKE packet go to port 500, not the source port.
Implementations that follow the RFC cannot work when a NAT changes the
ports.

agreed

  To overcome this problem, many NAT implementations added special
handling to port 500:

Since these "smart" NAT devices are all over the place, we need to use a new

port that doesn't have this special handling.

So, we will not disturb these NAT devices to work on port 500
Since, IKEv2 is now building from scratch we shall standardise Port 4500 instead of 500.The non Zero in first
four bytes indicates IPsec packets and Zeros indicate IKE packets.

--Ravi

-----Original Message-----
From: ravi [mailto:ravivsn@roc.co.in]
Sent: Wednesday, March 19, 2003 7:05 AM
To: Yoav Nir
Cc: ipsec@lists.tislabs.com
Subject: Re: IKEv2: prepending four octets


Hi,

You prepend four zeros to IKE messages, because no
IPsec-encapsulated-in-UDP message begins with four zeros.  An encapsulated
IPSec packet begins with the SPI which is always non-zero.  Adding four
zeros to the beginning of an IKE message makes it possible to distinguish
IKE messages from encapsulated IPSec packets.

IKEv2 is being defined fresh. Why can't we use port 500 for the purpose of
      NAT Traversal. If we make this packet also containing first four bytes
after
      UDP header as 0s in case of IKE packet, then there is no need for port
4500

--Ravi

Hope this helps

Yoav

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of ravi
Sent: Tuesday, March 18, 2003 10:11 AM
To: ipsec@lists.tislabs.com
Subject: IKEv2: prepending four octets

Dear All,
I am going through the ikev2-0.5 draft.It says
In the IKE header when sent on UDP port 4500 ,IKE messages have
prepended four octets of Zero.

My doubt is what made to prepend four octets of Zeroes before the IKE
message.
Thanks in advance,
Ravi Kumar CH.

Follow-Ups:
- Re: IKEv2: prepending four octets
  - From: Tero Kivinen <kivinen@ssh.fi>

References:
- RE: IKEv2: prepending four octets
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: Phase1 Proposals Not Chosen with SSH Sentinel Eval. 1.4
Next by Date: Re: Another NAT Traversal question
Prev by thread: RE: IKEv2: prepending four octets
Next by thread: Re: IKEv2: prepending four octets
Index(es):
- Date
- Thread