[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some concerns about last IKEv2 draft
Francis Dupont writes:
> I think the current draft does say that.
> => I don't think so, or at least it is unclear.
I still do not think this is unclear.
> It says that host not behind
> NAT SHOULD send all packets to the last valid authenticated source
> address seen from the peer. And then it says that both IKE packets and
> UDP encapsulated ESP packets can be used to get that last
> authenticated source address.
>
> => we agree about what to do. The text says:
>
> There are cases where a NAT box decides to remove mappings that
> are still alive (for example, the keepalive interval is too long,
> or the NAT box is rebooted). To recover in these cases, hosts that
> are not behind a NAT SHOULD send all packets (including retried
> packets) to the IP address and port from the last valid
> authenticated packet from the other end.
>
> The context suggests IKE packets, so we should agree about a clarification,
> for instance by adding ESP packets to the "(including retried".
Note, that after that, at the end of paragraph it describes what it
means by the "authenticated packet":
----------------------------------------------------------------------
Any authenticated IKE packet or any authenticated UDP
encapsulated ESP packet can be used to detect that the IP
address or the port has changed.
----------------------------------------------------------------------
(I fixed the "IKE encapsulated ESP packet" to the correct "UDP
encapsulated ESP packet").
> IPsec traffic does not change addresses at all unless there is NAT
> between. The current draft explictly says that the IPsec SA is created
> implictly between the ip address used for the IKE SA.
>
> => no, this is not explicit. My proposal is to make this clearly explicit,
> and it seems you agree with me.
I think this is quite explicit:
----------------------------------------------------------------------
IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
AH associations for the same IP addresses it runs over.
----------------------------------------------------------------------
What is the problem with current text, and what should be added to
there to make it more clear?
> => this "when they were negotiated" has to be clarified. And I prefer
> (for security reasons, with a SHOULD) to use the IKE SA addresses
> than the addresses in the CREATE_CHILD_SA message (in this context,
> i.e., no NAT-T or not for the peer behind a NAT).
Ok, now I do understand. Yes, I do agree that we SHOULD use the
addresses of the initial IKE SA creation, not the CREATE_CHILD_SA
messages.
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/