[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT-T, IKEv2, Vendor ID, port floating??

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: NAT-T, IKEv2, Vendor ID, port floating??
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 06 Aug 2003 10:22:38 +0200
cc: tomhu@cisco.com, ietf ipsec <ipsec@lists.tislabs.com>
In-reply-to: Your message of Tue, 05 Aug 2003 20:25:40 +0300. <16175.59540.652638.310947@ryijy.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   >  - is the support of NAT detection mandatory? For some other reasons
   >    (implicit peer address protection) I stronly believe it should be
   >    mandatory when the IKE_SA_INIT is done over port 500 and to answer
   >    the next point it should be mandatory in all cases.

   It is mandatory to be able to ignore those packets. It is not
   mandatory to be able to reply to them. 

=> in my idea to make NAT detection mandatory there are two parts:
 - the initiator must put NAT_DETECTION_* notifications in the
   first message.
 - the responder must reply to the NAT_DETECTION_* notifications.
I agree this is a change from the current specs.

   >    I don't think so because a responder can reject the NAT-T in
   >    IKE_AUTH, i.e., I makes a distinction between no NAT-T support
   >    and disabled NAT-T support: real no NAT-T support is just
   >    inconvenience, NAT-T should be supported but can be disabled
   >    for policy reasons for instance. Note the NAT detection works
   >    for both the initiator and the responder even only the initiator
   >    use it, so the next point is:

   To detect that NAT-T is supported AND enabled, you must have both
   received and sent NAT_DETECTION_* notifications. If those payloads
   are only going in one direction, that means that other end either does
   not support NAT-T or it is disabled. 

=> this makes sense only if NAT detection is not mandatory...
Obviously my idea to use NAT detection to indirectly protect
the peer addresses has an impact here but it is the simplest
way to avoid attacks on the peer addresses and one can still
reject IKE_AUTH what a NAT is detected but not accepted.

   >  - does the use of UDP port 4500 imply the use of NAT-T? As the
   >    NAT detection (which I want to make mandatory) is reliable for
   >    both peers, this doesn't really matter but the document should
   >    be clarified about this point.

   Use of port 4500 only implies that the other end supports the
   different format used for that port. It does not imply support of the
   NAT-T (altought I see no point of supporting the format only used by
   NAT-T if you do not support NAT-T). It also does not imply whether the
   NAT-T is enabled.

=> fine with me (when it will be in the document or its companion tutorial).

Thanks

Francis.Dupont@enst-bretagne.fr

Follow-Ups:
- Re: NAT-T, IKEv2, Vendor ID, port floating??
  - From: Markus Friedl <markus@openbsd.org>
- Re: NAT-T, IKEv2, Vendor ID, port floating??
  - From: Ari Huttunen <Ari.Huttunen@f-secure.com>

References:
- Re: NAT-T, IKEv2, Vendor ID, port floating??
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Next by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Prev by thread: Re: NAT-T, IKEv2, Vendor ID, port floating??
Next by thread: Re: NAT-T, IKEv2, Vendor ID, port floating??
Index(es):
- Date
- Thread