[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-ikev2-05.txt comments

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: draft-ietf-ipsec-ikev2-05.txt comments
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Thu, 20 Mar 2003 19:50:24 +0100
cc: ipsec@lists.tislabs.com, charlie_kaufman@notesdev.ibm.com
In-reply-to: Your message of Thu, 20 Mar 2003 20:00:50 +0200. <15994.466.938926.801627@ryijy.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Francis Dupont writes:
   > => IMHO the current draft is a bit underspecified, for instance it
   > should explicitely permit to run IKE over port 4500 from the beginning
   > (so there will be only one mapping and as soon as an exchange succeed
   > the whole stuff, including IPsec SAs, works).

   >From the draft-ietf-ipsec-ikev2-05.tx:
   ----------------------------------------------------------------------
   2.11 Address and Port Agility

      IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
      AH associations for the same IP addresses it runs over. The IP
      addresses and ports in the outer header are, however, not themselves
      cryptographically protected, and IKE is designed to work even through
      Network Address Translation (NAT) boxes. An implementation MUST
      accept incoming connection requests even if not received from UDP
      port 500 or 4500, and MUST respond to the address and port from which
      the request was received.  IKE functions identically over IPv4 or
      IPv6.

=> IMHO this section is too short but this is not the best place for
my "explicitely permit to run IKE over port 4500 from the beginning".

   I.e it now already says that both port 500 and 4500 are used, and the

=> but it suggest the NAT Traversal is activated only after a NAT
detection on port 500. I believe we need more flexibility.

   NAT traversal sections says:
   ----------------------------------------------------------------------
   2.23 NAT Traversal

   ...
      The specific requirements for supporting NAT traversal are listed
      below.  Support for NAT traversal is optional. In this section only,

=> with my (current) proposal, this "optional" doesn't make sense so
we can put more in requirements for any implementations or jump
to a SHOULD for NAT Traversal support?

      requirements listed as MUST only apply to implementations supporting
      NAT.

         IKE MUST listen on port 4500 as well as port 500. IKE MUST respond
         to the IP address and port from which packets arrived.

   > => note you explicitely use an IKE which always runs over UDP 4500.
   > IMHO this is the good solution and it should be documented (current
   > draft suggests the first exchange must be over UDP 500).

   Where does it say so? The current draft talks about ports 500 and
   4500 in almost equal way (only difference being that 4500 have
   different encoding and that port 4500 works better through NATs). 

=> the current spec describes a switch to port 4500, so implicitely
it assumes it always starts over port 500. This is only a problem
in the wording but it has an impact on the NAT Traversal support
requirement because with the better wording IKE will always support
NAT Traversal and it doesn't make sense to get no support for the
other parts of IPsec. So we can argue for at least a SHOULD based
on a protocol argument.
I'm trying to do several things at the same time so I forget the
most important: places are near NAT-DETECTION words.

Thanks

Francis.Dupont@enst-bretagne.fr

References:
- Re: draft-ietf-ipsec-ikev2-05.txt comments
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: draft-ietf-ipsec-ikev2-05.txt comments
Next by Date: implementor's view of ikev2 simul rekey
Prev by thread: Re: draft-ietf-ipsec-ikev2-05.txt comments
Next by thread: RE: draft-ietf-ipsec-ikev2-05.txt comments
Index(es):
- Date
- Thread