[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility

To: ipsec@ietf.org
Subject: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
From: Kevin Li <kli@cisco.com>
Date: Wed, 07 Jul 2004 16:58:49 -0700
Cc: Bob Arthurs <bob_arthurs@hotmail.com>
In-reply-to: <BAY8-F97juPS9bGo4hT000bdd7d@hotmail.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <BAY8-F97juPS9bGo4hT000bdd7d@hotmail.com>
Sender: ipsec-bounces@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;rv:1.7) Gecko/20040616

Hi,

Does IKEv2 have similar limitation?
I.e. IP address shouldn't be used as the identifier when there is NAT.

BTW, why such limitation while IKE has the authentication in place?

Thanks.

Kevin Li

================== Quote from RFC3715/page 4/(c)

   c) Incompatibility between IKE address identifiers and NAT.  Where IP
      addresses are used as identifiers in Internet Key Exchange
      Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
      IP source or destination addresses by NATs or reverse NATs will
      result in a mismatch between the identifiers and the addresses in
      the IP header.  As described in [RFC2409], IKE implementations are
      required to discard such packets.
      ...

Bob Arthurs wrote:

> Hi Folks,
>
> Quick question about RFC 3715 - on page 4 (c) the RFC mentions 
> incompatibility between IKE address identifiers and NAT.
>
> Would I be right in saying that this incompatibility occurs only in 
> transport mode when using IP addresses as phase 1 identifiers, and 
> when the source address of ISAKMP packets is checked against the 
> traffic selectors carried as identifiers in phase 2 ?? Or have I 
> completely missed the point :)
>
> Many thanks in advance.



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
  - From: Geoffrey Huang <ghuang@cisco.com>

References:
- [Ipsec] RFC 3715 / IPsec NAT Compatibility
  - From: "Bob Arthurs" <bob_arthurs@hotmail.com>

Prev by Date: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
Next by Date: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
Previous by thread: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Next by thread: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Index(es):
- Date
- Thread