[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT-T, IKEv2, Vendor ID, port floating??

To: tomhu@cisco.com
Subject: NAT-T, IKEv2, Vendor ID, port floating??
From: Tero Kivinen <kivinen@ssh.fi>
Date: Tue, 5 Aug 2003 20:18:30 +0300
Cc: ietf ipsec <ipsec@lists.tislabs.com>
In-Reply-To: <3F2838C4.CC8A3B21@cisco.com>
Organization: SSH Communications Security Oy
References: <3F2838C4.CC8A3B21@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Tom Hu writes:
> In IKEv1, peers should exchange vendor ID to know each other capability
> of NAT-T.
> In IKEv2, NAT-T implementation is optional. Should we exchange Vendor ID
> (NAT-T) at Initial exchange? 

No. In IKEv1 we needed to have vendor ID, because we needed to know if
the other end supported NAT-T discovery payloads or not.

In the IKEv2 ALL implementations MUST be able to at least ignore the
NAT_DETECTION_* notification payloads, i.e there is no need to know if
the other end supports NAT_DETECTION_* notifications or not (see
section 3.10.1 third paragraph saying that unknown status
notifications MUST be ignored if not recognized). If initiator
supports NAT-T, it includes NAT_DETECTION_* notifications to all
requests. If responder supports NAT-T, and it received NAT_DETECTION_*
notifications from the initiator it includes its own NAT_DETECTION_*
notifications.

There is no point for the responder to include those notifications if
it didn't receive them from the initiators, is it knows that the other
end does not support NAT-T (or it is disabled), because it didn't
include NAT_DETECTION_* notifications. The initiator must still be
able to ignore those if the responder decides to include them.

Both ends should only enable NAT-T if they have both sent and received
NAT_DETECTION_* notifications, and detected that there is NAT between.
If the NAT-T is disabled by configuration then the end MUST NOT send
NAT_DETECTION_* payloads, because if there is NAT between the other
end will enable the NAT-T and there is no way to tell it otherwise. 

> Another question is that Initiator and Responder exchange the NAT-D to
> find the NAT existence at Initial Exchange. Does it mean at the AUTH
> exchange, both peers should float the port to 4500?

If the NAT is detected inside the IKE_SA_INIT exchange then the
initiator should change the source and destination port to 4500 (the
responder MUST support listening of port 4500 if it has NAT-T
supported and enabled (2.23 second last paragraph)).

I.e the AUTH exchange is done over port 4500. The initiator can
initiate IKE_SA_INIT on port 4500 if it knows by some other means that
the other end supports and allows NAT-T (i.e either by manual
configuration, or because other end supported it earlier etc). The
initiator can also always start by using port 500 if it wants to. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: NAT-T, IKEv2, Vendor ID, port floating??
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: I-D ACTION:draft-ivancic-layer3-encryptors-00.txt
Next by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Prev by thread: ID regarding interactions of IPSec encryption devices and mobile-ip (and other protocols)
Next by thread: Re: NAT-T, IKEv2, Vendor ID, port floating??
Index(es):
- Date
- Thread