Re: Comments regarding IPsec NAT traversal / new proposal
Jim Tiller <jtiller@belenosinc.com> Tue, 01 August 2000 18:05 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA13284; Tue, 1 Aug 2000 11:05:25 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA20066 Tue, 1 Aug 2000 12:53:30 -0400 (EDT)
Date: Tue, 01 Aug 2000 13:03:31 -0400
From: Jim Tiller <jtiller@belenosinc.com>
X-Mailer: The Bat! (v1.44)
Reply-To: "Jim Tiller, CISSP" <jtiller@belenosinc.com>
Organization: Belenos, Inc.
X-Priority: 3 (Normal)
Message-ID: <9079792064.20000801130331@belenosinc.com>
To: Ari Huttunen <Ari.Huttunen@F-Secure.com>
CC: ipsec-list <ipsec@lists.tislabs.com>
Subject: Re: Comments regarding IPsec NAT traversal / new proposal
In-reply-To: <397EE19F.5AE38323@F-Secure.com>
References: <397EE19F.5AE38323@F-Secure.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
AH> ASSUMPTION: We do *not* wish to use the same UDP port for both IKE and AH> IPsec traffic encapsulated in UDP. This is because we'd loose the possibility AH> to filter these traffic types separately in a firewall. For this purpose we've AH> reserved the port 2797 from IANA. This should be a default with an option to modify at the remote system/initiator. The reasoning is that port 2797 may not be typically open in foreign networks, in that event the initiator can request to establish the session over a common port (i.e. 53) that is typically open on firewalls. AH> In particular, the method of negotiating and setting up UDP encapsulation as AH> defined in draft-stenberg-ipsec-nat-traversal-00.txt is too complex. We propose the following AH> mechanism for discussion: AH> 1) IKE phase 1 is not modified. AH> 2) IKE phase 2 adds a new protocol ID, AH> Protocol ID Value AH> ----------- ----- AH> RESERVED 0 AH> PROTO_ISAKMP 1 AH> PROTO_IPSEC_AH 2 AH> PROTO_IPSEC_ESP 3 AH> PROTO_IPCOMP 4 AH> PROTO_IPSEC_ESP_OVER_UDP X Agreed - however, your assuming IKE will survive NAT. Will this affect the available authentication mechanisms? -jim
- Comments regarding IPsec NAT traversal / new prop… Ari Huttunen
- IPSec Performance Tests ANDREW ARRON LITTLE
- Re: Comments regarding IPsec NAT traversal / new … Jim Tiller