Re: [Ipsec] Public IP address & IP mobility

[Tero Kivinen <kivinen@iki.fi>]

Radia Perlman writes:
> You are correct. In message 2 the gateway only sends the hash. This
> design was copied from the design for NAT detection in IKEv1 since
> people seemed happy with it. I probably would have sent the actual
> address rather than a hash, but I guess people thought it was good
> for some sort of secrecy to hide the actual IP address. Given that
> in IPv4, addresses are only 32 bits, it wouldn't take much work to
> find a set of addresses that hash to that value, so I'm not sure how
> useful it is to send the hash rather than the address.

I agree that for IPv4 it is not really have real security, but for
IPv6 there might be some real protection. Remember also that 64-bits
of the IPv6 address are mostly tied to the machine, meaning even when
the prefix changed, the lower 64-bits would stay same.

Also some people put NATs in their firewalls, just to keep the
internal IP-addresses hidden, thus sending them out *in clear* with
all IKE negotiation, would be quite bad from their point of view.

Adding hashing there is quite cheap way to keep those people happy,
and for NAT-T we do not care what the IP-addresses originally ware, we
care that there was NAT between modifying them.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec