[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Regarding Peer Address Update
Hi All,
I also felt that this feature is very powerful feature where the IKE SA
and IPSEC SAs are not terminated even when the external IP address
of box changes (via DHCP from ISP or PPP from ISP OR in case of
mobile-ip, it is care-of-address that changes). Whenever the IP address
is changed, it can inform the peer of this change.
I have some questions and comments:
1. If the security appliance OR client is behind the NAT gateway, it should
not send the address update. Also, if the NAT traversal is active, then
this update request should not be honored by the responder of this message.
2. What is the need for sending SPIs in UPDATE request?
IKE receives this message on a particular IKE SA. IKE SA has original
IP address and from the source IP address of the packet, it knows the
new IP address. This new IP address is used to update the IKE SA and
corresponding IPSEC SAs.
Regards,
Ravi
--
The views presented in this mail are completely mine. The company is not responsible for whatsoever.
----------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184
ROC home page