[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing

To: ipsec@lists.tislabs.com
Subject: Re: Initial Contact Message processing
From: David Wierbowski <wierbows@us.ibm.com>
Date: Wed, 14 Jan 2004 12:02:21 -0500
Sender: owner-ipsec@lists.tislabs.com






>> This is a pretty dubious way to use IKE.  That aside for the moment,
>> it seems to me to be only one of a number of reasons why implementations
>> should track the _port_ they receive the initial message of a
conversation
>> from, not just the source IP address.
>
> This does not work. You MUST use identities for tracking the SAs from
> the same identity. If the host behind NAT is rebooted, there is
> possibility that the NAT will allocate new IP and port for the host
> when it connects again. Now the SGW will see connection coming with
> new IP and new port, and the INITIAL-CONTACT will not clear the old
> state away at all, meaning that it can still try to send the traffic
> to old SAs (== black hole).

Are you saying that an identity may use IPSec from one device only?
It seems to me that I may want to establish a phase 1 SA with you from
two different work stations at the same time.  Are you saying that I
would need 2 phase 1 IDs to do that?  Is it a generally accepted limitation
of IPSec that identities are tied to a particular device?  This would have
to be true in order to process an INITIAL-CONTACT notification based on IDs
only.

Follow-Ups:
- Re: Initial Contact Message processing
  - From: Stephen Kent <kent@bbn.com>
- Re: Initial Contact Message processing
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-01.txt
Next by Date: Re: Initial Contact Message processing
Previous by thread: Re: Initial Contact Message processing
Next by thread: Re: Initial Contact Message processing
Index(es):
- Date
- Thread