[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working Group Last Call IKEv2

 In your previous mail you wrote:

   I have some concerns about the current draft (08), here are
   the major concerns:

    - the NAT traversal facility is clearly unfinished: what
      is the decision about this: postpone this to another
      draft, give up all missing stuff, something else?

      Two examples of missing stuff:
       * the encapsulation of ESP of UDP 4500
       * the implicit peer address update mechanism

    - the peer addresses (the addresses IKE runs over, cf 2.11) are
      not protected, this makes IKEv2 usable to launch DoS attacks
      by modifying addresses in IP headers of some packets.

      Initial CHILD_SA establishment can be made safe if NAT detection
      (i.e., NAT_DETECTION_{SOURCE,DESTINATION}_IP) is mandatory for
      all implementations (I can't see any problem with this and
      the proposed modification to the draft is very simple: put
      the relevant statement some lines before or after its current

      If this is accepted, we have two ways to protect the addresses
      of peers which are not behind a NAT:
       * always use the peer address of the IKE_SA_INIT messages as
         the address of the endpoint in any derived SA (i.e., "lock"
         it, the idea is from Tero Kivinen).
       * introduce a new notification to specify the proper peer
         address(es). This idea (mine) gives a better support to SCTP
         and similar cases but needs more work/time.