[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Nat Traversal concern in IKEv2
In your previous mail you wrote:
So when sending NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP
these payloads contain a SHA1 hash of the IP address and port.
^^^^
=> please note this is a plain hash.
So I perceive a requirement that the key used for this
SHA1 in the NAT_DETECTION_* payloads MUST NOT be related in any way to
the keys or key generating material used for privacy, integrity and
authentication later. This requirement seems onerous.
=> as there is no such key the requirement is fulfilled.
So perhaps we could move the NAT_DETECTION_SOURCE_IP and
NAT_DETECTION_DESTINATION_IP payloads to somewhere in the protected
portion of the IKE exchanges and just put the IP/port in the packet
directly (not a SHA1 hash).
=> this should give another useful but different property: protection
of the peer addresses and ports...
Regards
Francis.Dupont@enst-bretagne.fr