[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility

Yep, I tried to find the reference in RFC 2401 to discarding packets as well 
(IKEv1 implementations must discard packets where Phase 1 ID_IPvX_ADDR 
identities do not match the IP header) - couldn't find it anywhere!

Can anyone shed any light on this?

Thanks.


>From: Pasi.Eronen@nokia.com
>To: <kli@cisco.com>, <ipsec@ietf.org>
>Subject: RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
>Date: Thu, 8 Jul 2004 13:52:08 +0300
>
>Hi,
>
>I cannot find anything in draft-ietf-ipsec-ikev14 that would
>require always comparing ID_IPvX_ADDR payloads with the IP header.
>So it seems this limitation does not apply to IKEv2?
>(And this is IMHO as it should be.)
>
>This comparison is mentioned in draft-ietf-pki4ipsec-ikecert-
>profile, though:
>
>    "Implementations MUST be capable of verifying that the
>    address contained in ID is the same as the peer source
>    address.  Implementations MAY provide a configuration option
>    to skip that verification step, but that option MUST be off
>    by default."
>
>BTW, while the text quoted below from RFC 3715 says that
>IKEv1 implementations must discard packets where Phase 1
>ID_IPvX_ADDR identities do not match the IP header,
>I could not locate the relevant text in RFC2409.
>Could someone point me to the right section?
>
>Best regards,
>Pasi
>
> > -----Original Message-----
> > From: Kevin Li <kli@cisco.com>
> > Sent: Thursday, July 08, 2004 2:59 AM
> > To: ipsec@ietf.org
> > Cc: Bob Arthurs
> > Subject: Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
> >
> >
> > Hi,
> >
> > Does IKEv2 have similar limitation?
> > I.e. IP address shouldn't be used as the identifier when there is NAT.
> >
> > BTW, why such limitation while IKE has the authentication in place?
> >
> > Thanks.
> >
> > Kevin Li
> >
> > ================== Quote from RFC3715/page 4/(c)
> >
> >    c) Incompatibility between IKE address identifiers and  NAT.  Where
> >       IP addresses are used as identifiers in Internet Key Exchange
> >       Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
> >       IP source or destination addresses by NATs or reverse NATs will
> >       result in a mismatch between the identifiers and the
> >       addresses in the IP header.  As described in [RFC2409], IKE
> >       implementations are required to discard such packets.
> >       ...
> >
> > Bob Arthurs wrote:
> >
> > > Hi Folks,
> > >
> > > Quick question about RFC 3715 - on page 4 (c) the RFC mentions
> > > incompatibility between IKE address identifiers and NAT.
> > >
> > > Would I be right in saying that this incompatibility occurs only in
> > > transport mode when using IP addresses as phase 1 identifiers, and
> > > when the source address of ISAKMP packets is checked against the
> > > traffic selectors carried as identifiers in phase 2 ?? Or have I
> > > completely missed the point :)
> > >
> > > Many thanks in advance.
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec

_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!  
http://toolbar.msn.co.uk/


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec