[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure remote access with IPsec
Francis Dupont wrote:
> => research is not 100% paperwork...
You are right, however, if there are any other problems, directions or
open issues about remote access, I think it will be usefull study them.
> => EAP is the PPP generic authentication. You can put what you'd like
> in EAP.
Agreed.
[SNIP]
> => if it seems useful to permit this (IMHO it will be the case) then
> NAT-T support will get a MUST.
The reason why nat-t draft and than IKEv2 draft switch the communication
to port 4500 if a NAT is detected there is a NAT-T helper fuction which
does nottraslate UDP500 and that is implemented in a lot of NA(P)T. So
what's wrong to let IKev2 directly speak on port 4500 instead of 500?
If we let IKEv2 speak on port 500 and then switch to port 4500 if nat is
detected we should have collision problem during IKE_SA_INIT.
> => it seems you read my drafts!
Of course! :-)
> => we cannot change the selectors of a SA without rekeying. And we shan't
> change a traffic selector of a tunnel without rekeying.
Why not? What's wrong with changing the selectors?
[from draft-ietf-mobileip-mipv6-ha-ipsec-03.txt]
Step 9. If the mobile node and the HA have the capability to change
the IKE endpoints, they change the address to C. If they dont have
the capability, both nodes remove their phase 1 connections created
on top of the care-of address B and establish a new IKE phase 1 on
top of the care-of address C. This capability to change the IKE
phase 1 end points is indicated through setting the Key Management
Mobility Capability (K) flag [8] in the Binding Update and Binding
Acknowledgement messages.
--
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------