[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility

To: <kli@cisco.com>, <ipsec@ietf.org>
Subject: RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
From: Pasi.Eronen@nokia.com
Date: Thu, 8 Jul 2004 13:52:08 +0300
Cc:
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org
Thread-index: AcRkpMzqn3EIUWUPToqDuKenmYcsrgAMPHwQ
Thread-topic: [Ipsec] RFC 3715 / IPsec NAT Compatibility

Hi,

I cannot find anything in draft-ietf-ipsec-ikev14 that would 
require always comparing ID_IPvX_ADDR payloads with the IP header.
So it seems this limitation does not apply to IKEv2? 
(And this is IMHO as it should be.)

This comparison is mentioned in draft-ietf-pki4ipsec-ikecert-
profile, though: 

   "Implementations MUST be capable of verifying that the
   address contained in ID is the same as the peer source
   address.  Implementations MAY provide a configuration option
   to skip that verification step, but that option MUST be off
   by default."

BTW, while the text quoted below from RFC 3715 says that
IKEv1 implementations must discard packets where Phase 1
ID_IPvX_ADDR identities do not match the IP header, 
I could not locate the relevant text in RFC2409. 
Could someone point me to the right section?

Best regards,
Pasi

> -----Original Message-----
> From: Kevin Li <kli@cisco.com>
> Sent: Thursday, July 08, 2004 2:59 AM
> To: ipsec@ietf.org
> Cc: Bob Arthurs
> Subject: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
> 
> 
> Hi,
> 
> Does IKEv2 have similar limitation?
> I.e. IP address shouldn't be used as the identifier when there is NAT.
> 
> BTW, why such limitation while IKE has the authentication in place?
> 
> Thanks.
> 
> Kevin Li
> 
> ================== Quote from RFC3715/page 4/(c)
> 
>    c) Incompatibility between IKE address identifiers and  NAT.  Where
>       IP addresses are used as identifiers in Internet Key Exchange
>       Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
>       IP source or destination addresses by NATs or reverse NATs will
>       result in a mismatch between the identifiers and the 
>       addresses in the IP header.  As described in [RFC2409], IKE 
>       implementations are required to discard such packets.
>       ...
> 
> Bob Arthurs wrote:
> 
> > Hi Folks,
> >
> > Quick question about RFC 3715 - on page 4 (c) the RFC mentions 
> > incompatibility between IKE address identifiers and NAT.
> >
> > Would I be right in saying that this incompatibility occurs only in 
> > transport mode when using IP addresses as phase 1 identifiers, and 
> > when the source address of ISAKMP packets is checked against the 
> > traffic selectors carried as identifiers in phase 2 ?? Or have I 
> > completely missed the point :)
> >
> > Many thanks in advance.

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Next by Date: RE: [Ipsec] certificate encoding type in IKEv2
Previous by thread: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Next by thread: RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Index(es):
- Date
- Thread