[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some concerns about last IKEv2 draft

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: some concerns about last IKEv2 draft
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 11 Sep 2003 17:43:54 +0300
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200309111351.h8BDpmHN090947@givry.rennes.enst-bretagne.fr>
Organization: SSH Communications Security Oy
References: <16224.30070.842915.717120@ryijy.hel.fi.ssh.com><200309111351.h8BDpmHN090947@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Francis Dupont writes:
>    I think the current draft does say that.
> => I don't think so, or at least it is unclear.

I still do not think this is unclear. 

>    It says that host not behind
>    NAT SHOULD send all packets to the last valid authenticated source
>    address seen from the peer. And then it says that both IKE packets and
>    UDP encapsulated ESP packets can be used to get that last
>    authenticated source address. 
>    
> => we agree about what to do. The text says:
> 
>        There are cases where a NAT box decides to remove mappings that
>        are still alive (for example, the keepalive interval is too long,
>        or the NAT box is rebooted). To recover in these cases, hosts that
>        are not behind a NAT SHOULD send all packets (including retried
>        packets) to the IP address and port from the last valid
>        authenticated packet from the other end.
> 
> The context suggests IKE packets, so we should agree about a clarification,
> for instance by adding ESP packets to the "(including retried".

Note, that after that, at the end of paragraph it describes what it
means by the "authenticated packet":

----------------------------------------------------------------------
      Any authenticated IKE packet or any authenticated UDP
      encapsulated ESP packet can be used to detect that the IP
      address or the port has changed.
----------------------------------------------------------------------

(I fixed the "IKE encapsulated ESP packet" to the correct "UDP
encapsulated ESP packet"). 

>    IPsec traffic does not change addresses at all unless there is NAT
>    between. The current draft explictly says that the IPsec SA is created
>    implictly between the ip address used for the IKE SA.
> 
> => no, this is not explicit. My proposal is to make this clearly explicit,
> and it seems you agree with me.

I think this is quite explicit:
----------------------------------------------------------------------
   IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
   AH associations for the same IP addresses it runs over. 
----------------------------------------------------------------------

What is the problem with current text, and what should be added to
there to make it more clear?

> => this "when they were negotiated" has to be clarified. And I prefer
> (for security reasons, with a SHOULD) to use the IKE SA addresses
> than the addresses in the CREATE_CHILD_SA message (in this context,
> i.e., no NAT-T or not for the peer behind a NAT).

Ok, now I do understand. Yes, I do agree that we SHOULD use the
addresses of the initial IKE SA creation, not the CREATE_CHILD_SA
messages.
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: some concerns about last IKEv2 draft
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: some concerns about last IKEv2 draft
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: some concerns about last IKEv2 draft
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: some concerns about last IKEv2 draft
Next by Date: Re: some concerns about last IKEv2 draft
Prev by thread: Re: some concerns about last IKEv2 draft
Next by thread: Re: some concerns about last IKEv2 draft
Index(es):
- Date
- Thread