[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nat Traversal concern in IKEv2



 In your previous mail you wrote:

   
   So when sending NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP 
   these payloads contain a SHA1 hash of the IP address and port.
                                 ^^^^

=> please note this is a plain hash.
   
   So I perceive a requirement that the key used for this 
   SHA1 in the NAT_DETECTION_* payloads MUST NOT be related in any way to 
   the keys or key generating material used for privacy, integrity and 
   authentication later. This requirement seems onerous.
   
=> as there is no such key the requirement is fulfilled.
   
   So perhaps we could move the  NAT_DETECTION_SOURCE_IP and 
   NAT_DETECTION_DESTINATION_IP payloads to somewhere in the protected 
   portion of the IKE exchanges and just put the IP/port in the packet 
   directly (not a SHA1 hash).
   
=> this should give another useful but different property: protection
of the peer addresses and ports...

Regards

Francis.Dupont@enst-bretagne.fr