Re: [Ipsec] Public IP address & IP mobility

[Radia Perlman <Radia.Perlman@Sun.COM>]

Rajeev Gupta wrote:

> Would appreciate if someone can reply to these 2 questions relating to 
> IKEv2:
>
> (the tunnel initiator is referred to as “client” and the tunnel 
> terminator is the “gateway”)
>
> - is it possible for the client to learn its public IP address as seen 
> by the gateway? The current NAT detection mechanism in IKEv2 only 
> provides to the client the hash of its public IP address as seen by 
> the gateway – why not the actual IP address itself?
>
You are correct. In message 2 the gateway only sends the hash. This 
design was copied
from the design for NAT detection in IKEv1 since people seemed happy 
with it. I probably
would have sent the actual address rather than a hash, but I guess 
people thought it was
good for some sort of secrecy to hide the actual IP address. Given that 
in IPv4, addresses
are only 32 bits, it wouldn't take much work to find a set of addresses 
that hash to that
value, so I'm not sure how useful it is to send the hash rather than the 
address.

> - Is it possible for the client to maintain the IPSec tunnel with the 
> gateway, if it changes its source IP address? This could happen if the 
> client moves across subnets in a wireless network. Is there any 
> specified mechanism to use Mobile IP with IPSec?
>
This is the problem that the mobeike WG is working on.
http://www.ietf.org/html.charters/mobike-charter.html

Radia




_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec