[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-ikev2-05.txt comments

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: draft-ietf-ipsec-ikev2-05.txt comments
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 20 Mar 2003 20:00:50 +0200
Cc: ipsec@lists.tislabs.com, charlie_kaufman@notesdev.ibm.com
In-Reply-To: <200303200045.h2K0jnof058315@givry.rennes.enst-bretagne.fr>
Organization: SSH Communications Security Oy
References: <15992.41222.836986.56140@ryijy.hel.fi.ssh.com><200303200045.h2K0jnof058315@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Francis Dupont writes:
> => IMHO the current draft is a bit underspecified, for instance it
> should explicitely permit to run IKE over port 4500 from the beginning
> (so there will be only one mapping and as soon as an exchange succeed
> the whole stuff, including IPsec SAs, works).

From the draft-ietf-ipsec-ikev2-05.tx:
----------------------------------------------------------------------
2.11 Address and Port Agility

   IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
   AH associations for the same IP addresses it runs over. The IP
   addresses and ports in the outer header are, however, not themselves
   cryptographically protected, and IKE is designed to work even through
   Network Address Translation (NAT) boxes. An implementation MUST
   accept incoming connection requests even if not received from UDP
   port 500 or 4500, and MUST respond to the address and port from which
   the request was received.  IKE functions identically over IPv4 or
   IPv6.
----------------------------------------------------------------------

I.e it now already says that both port 500 and 4500 are used, and the
NAT traversal sections says:
----------------------------------------------------------------------
2.23 NAT Traversal

...
   The specific requirements for supporting NAT traversal are listed
   below.  Support for NAT traversal is optional. In this section only,
   requirements listed as MUST only apply to implementations supporting
   NAT.

      IKE MUST listen on port 4500 as well as port 500. IKE MUST respond
      to the IP address and port from which packets arrived.
----------------------------------------------------------------------

> => note you explicitely use an IKE which always runs over UDP 4500.
> IMHO this is the good solution and it should be documented (current
> draft suggests the first exchange must be over UDP 500).

Where does it say so? The current draft talks about ports 500 and
4500 in almost equal way (only difference being that 4500 have
different encoding and that port 4500 works better through NATs). 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: draft-ietf-ipsec-ikev2-05.txt comments
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: draft-ietf-ipsec-ikev2-05.txt comments
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: draft-ietf-ipsec-ikev2-05.txt comments
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: RE: Newbie ESP Question
Next by Date: Re: draft-ietf-ipsec-ikev2-05.txt comments
Prev by thread: Re: draft-ietf-ipsec-ikev2-05.txt comments
Next by thread: Re: draft-ietf-ipsec-ikev2-05.txt comments
Index(es):
- Date
- Thread