Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id 2E89121F8CAC for <ipsec@ietfa.amsl.com>;
 Wed,  5 Dec 2012 01:41:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.466
X-Spam-Level: 
X-Spam-Status: No, score=-10.466 tagged_above=-999 required=5 tests=[AWL=0.133,
 BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiUOTrEYGmf2 for
 <ipsec@ietfa.amsl.com>; Wed,  5 Dec 2012 01:41:14 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by
 ietfa.amsl.com (Postfix) with ESMTP id 3345021F8C9F for <ipsec@ietf.org>;
 Wed,  5 Dec 2012 01:41:13 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by
 smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qB59f9vZ026292;
 Wed, 5 Dec 2012 11:41:09 +0200
X-CheckPoint: {50BF166F-2-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.14]) by
 IL-EX10.ad.checkpoint.com ([169.254.2.14]) with mapi id 14.02.0318.004;
 Wed, 5 Dec 2012 11:41:08 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [IPsec] draft-ietf-ipsecme-ike-tcp-01 comments
Thread-Index: AQHN0r5+hrRKPfFxi02auVilIkihkpgJ0kaA
Date: Wed, 5 Dec 2012 09:41:07 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210EDD3BBB@IL-EX10.ad.checkpoint.com>
References: <50BEFEE5.9050900@gmail.com>
In-Reply-To: <50BEFEE5.9050900@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.21.46]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11903f2e4d402ff5f18e12a665700b0558f9c538af
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0406B6AEE995DB4FAEB8101BD069AF88@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] draft-ietf-ipsecme-ike-tcp-01 comments
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>,
 <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>,
 <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 09:41:15 -0000

Hi Yaron

On Dec 5, 2012, at 9:59 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> Hi,
>=20
> In general, it seems to me we are trying to solve more than we should, an=
d we should punt on some of the NAT use cases, leave them to configuration =
or to out-of-protocol solutions like STUN and friends. Maybe even DNS SRV r=
egistration.
>=20
> Specifically:
>=20
> - In the new text re: the Initiator sending IKE_TCP_SUPPORTED, I would ch=
ange "prevented... by network address translation" to "prevented by policy"=
. There are different ways to prevent a peer from being a responder, includ=
ing firewalls, NAT or plain configuration. All should be included here.

I strongly disagree with this. As section 1.1 says, we are not trying to cr=
eate a protocol to subvert policy, and NATs are not generally a tool for po=
licy enforcement. They do, however, cause issues with connecting to port 50=
0 of a host that's behind them. If the host is unreachable, it should not a=
dvertise its support for IKE over TCP. If it uses STUN and friends so that =
it is reachable at the NAT address on some port (usually referred to as "po=
rt forwarding") then it should advertise that port. I think this would be i=
mplemented as a configuration option, which you set after setting up the po=
rt forwarding, but if there's an automated way of doing this, that would al=
so work, and I agree that we should not specify which it is.

> - I'm feeling uncomfortable with the rudimentary NAT bypass mechanism tha=
t we are proposing here: you're supposed to advertise a port number on anot=
her device (on the NAT box). I am sure there are loads of problems this wil=
l open up. Here's one: if we're talking about a very large NAT device (one =
that uses multiple public addresses), isn't it possible that the IP address=
 allocated for the static NAT of the IKE listening port is different from t=
he source IP address of the initial IKE request?

I'm not assuming that the original responder learns the IP address of the o=
riginal initiator by the source of the request. If it is so, then we need s=
omething better like an SRV record.

> - Also, given the port advertising, do we still need the liveness check d=
escribed at the end of Sec. 3.2?

Sure. The liveness check clears the way and tests reachability for IPsec, b=
y using the same ports as IPsec.

>=20
> Thanks,
>    Yaron
>=20
>=20
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>=20
> Email secured by Check Point