Re: [anonsec] Comments on connection latching draft

Paul Wouters <paul@xelerance.com> Fri, 07 December 2007 04:55 UTC

Return-path: <anonsec-bounces@postel.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J0VFk-0001NA-UY for btns-archive-waDah9Oh@lists.ietf.org; Thu, 06 Dec 2007 23:55:56 -0500
Received: from boreas.isi.edu ([128.9.160.161]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J0VFk-00087E-Iy for btns-archive-waDah9Oh@lists.ietf.org; Thu, 06 Dec 2007 23:55:56 -0500
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id lB74lEel014441; Thu, 6 Dec 2007 20:47:14 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id lB74kk05014203 for <anonsec@postel.org>; Thu, 6 Dec 2007 20:46:48 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 98627C0BD; Thu, 6 Dec 2007 23:50:06 -0500 (EST)
Date: Thu, 6 Dec 2007 23:50:06 -0500 (EST)
From: Paul Wouters <paul@xelerance.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20071206235738.GA8628@Sun.COM>
Message-ID: <Pine.LNX.4.64.0712062348120.11458@newtla.xelerance.com>
References: <tsld4tjjsw3.fsf@mit.edu> <20071206235738.GA8628@Sun.COM>
MIME-Version: 1.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: paul@xelerance.com
Cc: anonsec@postel.org, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [anonsec] Comments on connection latching draft
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a

On Thu, 6 Dec 2007, Nicolas Williams wrote:

> To help describe the process by which latches are created and torn down.
>
> > Why must implementations make available nat state?  I'm unconvinced
> > that is well enough defined to actually be useful.
>
> I think this is Michael's requirement.

I think this might have to do with detecting multiple clients behind
the same NAT router.

> >    o  Any IPsec channel created with a given peer while another
> >       distinct, established IPsec channel exists with the same source
> >       and destination addresses SHOULD be bound to the same peer.
> >
> >
> > How does this interact with nats?
>
> Hmmm, badly :)

Why not make it souce and destination address plus port?

>     o  Create a connection latch object for a ULP 5-tuple (local and
>        remote address, protocol and local and remote port numbers).

Like here.

Paul
_______________________________________________