[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments to draft-ietf-ipsec-ikev2-08.txt NAT-traversal



The current draft-ietf-ipsec-ikev2-08.txt is still missing some small
pieces of the text needed for the NAT-Traversal to work.

First the NAT_DETECTION_DESTINATION_IP should specify that if this end
is behind a NAT, then this end SHOULD start sending keepalive packets
as defined in [Hutt02].

----------------------------------------------------------------------
        NAT_DETECTION_DESTINATION_IP             24583

            This notification is used to by its recipient to determine
            whether it is behind a NAT box. The data associated with
            this notification is a SHA-1 digest of the SPIs (in the
            order they appear in the header), IP address and port to
            which this packet was sent.  The recipient of this
            notification MAY compare the supplied value to a hash of the
            SPIs, destination IP address and port and if they don't
            match it SHOULD invoke NAT traversal (see section 2.23). If
            they don't match, it means that this end is behind a NAT.
            Alternately, it MAY reject the connection attempt if NAT
            traversal is not supported.
----------------------------------------------------------------------

=>
----------------------------------------------------------------------
...
            match it SHOULD invoke NAT traversal (see section 2.23). If
            they don't match, it means that this end is behind a NAT
            and this end SHOULD start sending keepalive packets as
            defined in [Hutt02]. Alternately, it MAY reject the
            connection attempt if NAT traversal is not supported.
----------------------------------------------------------------------

Also there is some text missing explainging where the nodes, can get
the original source and destination addresses (i.e from the traffic
selectors). As the traffic selectors are mandatory, they will always
contain the original ip address for the connection (i.e wihtout the
NAT processing). Those values can the be used in the transport mode
NAT-T to do the checksum fixup for the TCP and UDP packets.

This text should be added to section 2.23:

----------------------------------------------------------------------
   The original source and destination IP address required for the
   transport mode TCP and UPD packet checksum fixup (see [Hutt02]) is
   obtained from the Traffic Selectors associated with the exchange.
   In case of the NAT-T the Traffic Selectors MUST contain exactly one
   IP address which is then used as original IP address.
----------------------------------------------------------------------

The current draft also does not say anything about the how to recover
from the expiring NAT mappings, i.e if the NAT box changes the NAT
mapping in the middle of the IKE SA use.

For the implicit address update we need following changes:

1) Add paragrap to the NAT_DETECTION_SOURCE_IP notification
   description about when to enable the implicit addres update:

----------------------------------------------------------------------
	      If this check fails it means that the other end is
	      behind NAT and this end SHOULD enable the NAT Traversal
	      implicit address updating (see section X.XX).
----------------------------------------------------------------------

2) Add the section about the implicit address updating (2.24?)

----------------------------------------------------------------------
X.XX NAT Traversal Implicit Address Updating

     There are cases where NAT box decides to remove mappings that are
     still alive (for example, the keepalive interval is too long, or
     the NAT box is rebooted). To recover from those hosts which are
     NOT behind NAT SHOULD use the last valid authenticated packet
     from the other end to determine which IP and port addresses
     should be used. The host behind dynamic NAT MUST NOT do this as
     otherwise it opens DoS attack possibility, and there is no need
     for that, because the IP address or port of other host will not
     change (it is not behind NAT).

     Keepalives cannot be used for this purposes as they are not
     authenticated, but any IKE authenticated IKE packet or UDP
     encapsulated ESP packet can be used to detect that the IP address
     or the port has changed.
----------------------------------------------------------------------

Note, that those text DO NOT have anything to do with Mobile IP, they
are only needed and useful for the NAT-T case. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/