[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDci and IDcr payloads with NAT Traversal







>> - if it is, then what IP addresses should be utilized in IDci and IDcr?
>
>The GW can use IDci = 10.1.1.123 and IDcr = 10.2.2.2, and it needs to
>know the 10.2.2.2 from the configuration. I.e. the GW's configuration
>would be:
>
>            src = 10.1.1.123, dst = 10.2.2.2,
>                        enable Tunnel mode NAT-T to address y.y.y.y.
>
>If there would be overlaps (i.e. host B would also have IP-address of
>10.1.1.123, then GW would need to do some kind of NAT for the packets
>from host B it sends to the host A).

Perhaps I'm reading too much into your answer, but there seems to be
some inconsistencies with IDci and IDcr when NAT Traversal is used.
Let's consider a simpler example:


 HOST A ----> A's NAT ----> B's NAT ----> HOST B
 10.1.1.1                                 10.2.2.2


 Where:
 - The private address for HOST A is 10.1.1.1
 - HOST A's NAT translates 10.1.1.1. to x.x.x.x

 - The private address for HOST B is 10.2.2.2
 - B's NAT translates 10.2.2.2 to y.y.y.y (where y.y.y.y
   is static).

There are two cases:
 1) HOST A is trying create a phase 2 SA with HOST B
    to protect ALL traffic between HOST A and HOST B.

 2) HOST A is trying create a phase 2 SA with HOST B
    to protect TCP traffic between HOST A and HOST B.

In case 1 there is no need to exchange IDci and
IDcr.  They can be assumed to be the IP addresses
of the IKE peers without any implied constraints on
port or protocol.  To me this would imply that both
HOST A and HOST B have a different view of IDci and
IDcr.
- HOST A would think the IP address for IDci is 10.1.1.1
  and for IDcr is y.y.y.y.
- HOST B would think the IP address for IDci is x.x.x.x
  and for IDcr is 10.2.2.2

In case 2 ID payloads must be exchanged (since traffic is
constrained to TCP traffic).  Based on your previous answer
I'm thinking you would expect both HOST A and HOST B to view
IDci as 10.1.1.1 and IDcr as 10.2.2.2.

Based on what the IDs would be if no ID payloads were sent
I would expect that the IDs exchanged in case 2 should be the
same as the IDs implied in case 1.  This seems far more natural to
me as it does not require HOST A to know HOST B's private address
before the negotiation starts and it does not require HOST B to
know HOST A's private address before the negotiation starts.  I
will admit that in the gateway case (my original case) that it
seems as if knowledge of private addresses must be shared.

I think that the "Negotiation of NAT-Traversal in IKE" drafts
needs to include conventions for setting IDci and IDcr.  Perhaps
IDci and IDcr should always be exchanged when NAT is detected?
My concern is that without establishing a convention for
dealing with IDci and IDcr that we open ourselves up to
possible interoperability issues.


Dave Wierbowski


z/OS Comm Server Developer

 Phone:
    Tie line:   620-4055
    External:  607-429-4055