[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure remote access with IPsec

To: Antonio Forzieri <antonio.forzieri@cefriel.it>
Subject: Re: Secure remote access with IPsec
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Fri, 21 Mar 2003 18:53:11 +0100
cc: "'IPsec WG'" <ipsec@lists.tislabs.com>
In-reply-to: Your message of Fri, 21 Mar 2003 12:30:49 +0100. <3E7AF7E9.3030205@cefriel.it>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   > => if it seems useful to permit this (IMHO it will be the case) then
   > NAT-T support will get a MUST.
   The reason why nat-t draft and than IKEv2 draft switch the communication 
   to port 4500 if a NAT is detected there is a NAT-T helper fuction which 
   does nottraslate UDP500 and that is implemented in a lot of NA(P)T. So 
   what's wrong to let IKev2 directly speak on port 4500 instead of 500?

=> nothing but the current draft wording suggests that IKE_SA_INIT
always runs over UDP 500. This should be fixed.

   If we let IKEv2 speak on port 500 and then switch to port 4500 if nat is 
   detected we should have collision problem during IKE_SA_INIT.

=> there is no collision problem with the same initiator, and collisions
where both sides are initiators are already handled by the rekeying stuff
(both in the draft and in this list).

   > => we cannot change the selectors of a SA without rekeying. And we shan't
   > change a traffic selector of a tunnel without rekeying.
   Why not? What's wrong with changing the selectors?

=> the term selector is not very accurate. You can't change the traffic
selectors but you can change the endpoints (i.e., the peer addresses)
with a peer address update mechanism.

   [from  draft-ietf-mobileip-mipv6-ha-ipsec-03.txt]
       Step 9.  If the mobile node and the HA have the capability to change
       the IKE endpoints, they change the address to C.  If they dont have
       the capability, both nodes remove their phase 1 connections created
       on top of the care-of address B and establish a new IKE phase 1 on
       top of the care-of address C.

=> this text applies only to IKEv1. In IKEv2 one should use the rekeying
mechanism for the IKE SA, both because it is available and because in
IKEv2 when an IKE SA is closed all the IPsec SAs it negociated are closed.

       This capability to change the IKE
       phase 1 end points is indicated through setting the Key Management
       Mobility Capability (K) flag [8] in the Binding Update and Binding
       Acknowledgement messages.

=> this is about peer address update mechanisms, in IKEv2 you'll get:
 - an implicit mechanism with NAT Traversal for peers which have
   the other peer behind a NAT.
 - an explicit mechanism defined after the urgent publication of the
   IKEv2 document.
 - a programmatic stuff which provides the peer address update itself
   for a set of SAs (an IKE SA and some IPsec SA pairs). It will be
   used of course by IKEv2 but I've suggested to make it available from
   the outside of the IKEv2 process(es).

Thanks

Francis.Dupont@enst-bretagne.fr

References:
- Re: Secure remote access with IPsec
  - From: Antonio Forzieri <antonio.forzieri@cefriel.it>

Prev by Date: Re: RE2: Do ipsec vendors care about privacy?
Next by Date: Re: AES-based PRF for IKEv2
Prev by thread: Re: Secure remote access with IPsec
Next by thread: Re: Secure remote access with IPsec
Index(es):
- Date
- Thread