[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Yep, I tried to find the reference in RFC 2401 to discarding packets as well
(IKEv1 implementations must discard packets where Phase 1 ID_IPvX_ADDR
identities do not match the IP header) - couldn't find it anywhere!
Can anyone shed any light on this?
Thanks.
>From: Pasi.Eronen@nokia.com
>To: <kli@cisco.com>, <ipsec@ietf.org>
>Subject: RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
>Date: Thu, 8 Jul 2004 13:52:08 +0300
>
>Hi,
>
>I cannot find anything in draft-ietf-ipsec-ikev14 that would
>require always comparing ID_IPvX_ADDR payloads with the IP header.
>So it seems this limitation does not apply to IKEv2?
>(And this is IMHO as it should be.)
>
>This comparison is mentioned in draft-ietf-pki4ipsec-ikecert-
>profile, though:
>
> "Implementations MUST be capable of verifying that the
> address contained in ID is the same as the peer source
> address. Implementations MAY provide a configuration option
> to skip that verification step, but that option MUST be off
> by default."
>
>BTW, while the text quoted below from RFC 3715 says that
>IKEv1 implementations must discard packets where Phase 1
>ID_IPvX_ADDR identities do not match the IP header,
>I could not locate the relevant text in RFC2409.
>Could someone point me to the right section?
>
>Best regards,
>Pasi
>
> > -----Original Message-----
> > From: Kevin Li <kli@cisco.com>
> > Sent: Thursday, July 08, 2004 2:59 AM
> > To: ipsec@ietf.org
> > Cc: Bob Arthurs
> > Subject: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
> >
> >
> > Hi,
> >
> > Does IKEv2 have similar limitation?
> > I.e. IP address shouldn't be used as the identifier when there is NAT.
> >
> > BTW, why such limitation while IKE has the authentication in place?
> >
> > Thanks.
> >
> > Kevin Li
> >
> > ================== Quote from RFC3715/page 4/(c)
> >
> > c) Incompatibility between IKE address identifiers and NAT. Where
> > IP addresses are used as identifiers in Internet Key Exchange
> > Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
> > IP source or destination addresses by NATs or reverse NATs will
> > result in a mismatch between the identifiers and the
> > addresses in the IP header. As described in [RFC2409], IKE
> > implementations are required to discard such packets.
> > ...
> >
> > Bob Arthurs wrote:
> >
> > > Hi Folks,
> > >
> > > Quick question about RFC 3715 - on page 4 (c) the RFC mentions
> > > incompatibility between IKE address identifiers and NAT.
> > >
> > > Would I be right in saying that this incompatibility occurs only in
> > > transport mode when using IP addresses as phase 1 identifiers, and
> > > when the source address of ISAKMP packets is checked against the
> > > traffic selectors carried as identifiers in phase 2 ?? Or have I
> > > completely missed the point :)
> > >
> > > Many thanks in advance.
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
http://toolbar.msn.co.uk/
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec