[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regarding Peer Address Update

To: ipsec@lists.tislabs.com
Subject: Regarding Peer Address Update
From: Ravi <ravivsn@roc.co.in>
Date: Mon, 14 Apr 2003 10:06:23 +0530
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Hi All, I also felt that this feature is very powerful feature where the IKE SA and IPSEC SAs are not terminated even when the external IP address of box changes (via DHCP from ISP or PPP from ISP OR in case of mobile-ip, it is care-of-address that changes). Whenever the IP address is changed, it can inform the peer of this change. I have some questions and comments: 1. If the security appliance OR client is behind the NAT gateway, it should not send the address update. Also, if the NAT traversal is active, then this update request should not be honored by the responder of this message. 2. What is the need for sending SPIs in UPDATE request? IKE receives this message on a particular IKE SA. IKE SA has original IP address and from the source IP address of the packet, it knows the new IP address. This new IP address is used to update the IKE SA and corresponding IPSEC SAs. Regards, Ravi -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ---------- Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page

Prev by Date: Dead Peer Detection
Next by Date: Peer address update and DPD
Prev by thread: Dead Peer Detection
Next by thread: Peer address update and DPD
Index(es):
- Date
- Thread