IETF Logo Mail Archive

Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07

Tobias Brunner <tobias@strongswan.org> Thu, 15 July 2021 08:36 UTC

Return-Path: <tobias@strongswan.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E19E93A2277 for <ipsec@ietfa.amsl.com>; Thu, 15 Jul 2021 01:36:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obUvz3H8J_Me for <ipsec@ietfa.amsl.com>; Thu, 15 Jul 2021 01:35:59 -0700 (PDT)
Received: from mail.strongswan.org (sitav-80046.hsr.ch [152.96.80.46]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5275F3A2275 for <ipsec@ietf.org>; Thu, 15 Jul 2021 01:35:58 -0700 (PDT)
Received: from [IPv6:2a01:8b81:5407:c100:a9d4:9b76:d080:f43c] (unknown [IPv6:2a01:8b81:5407:c100:a9d4:9b76:d080:f43c]) by mail.strongswan.org (Postfix) with ESMTPSA id D8C4740060; Thu, 15 Jul 2021 10:35:55 +0200 (CEST)
To: "Bottorff, Paul" <paul.bottorff@hpe.com>, Valery Smyslov <smyslov.ietf@gmail.com>, 'Tero Kivinen' <kivinen@iki.fi>, "antony.antony@secunet.com" <antony.antony@secunet.com>, 'IPsec' <ipsec@ietf.org>
References: <CS1PR8401MB11928BE251D4B6E05184D941FE619@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <20210331103220.GA21137@moon.secunet.de> <CS1PR8401MB119267E038AFBDFD996F0441FE7C9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <24678.19440.553333.890224@fireball.acr.fi> <036401d72786$91047b90$b30d72b0$@gmail.com> <CS1PR8401MB11924CD1BF4CC233523180F3FE7A9@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM> <CS1PR8401MB119239134AD78A9B30754AE4FE139@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
From: Tobias Brunner <tobias@strongswan.org>
Message-ID: <f0cf6bca-f3b8-c991-2257-90def87f40c9@strongswan.org>
Date: Thu, 15 Jul 2021 10:35:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CS1PR8401MB119239134AD78A9B30754AE4FE139@CS1PR8401MB1192.NAMPRD84.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/fiL2-Gd_zrE7BOtb-Fj67dJmLiU>
Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 08:36:01 -0000

Hi Paul,

> Instead, the responder should use the port received by the responder in the IKE exchanges.

Note that if these packets have random source ports, this will only work 
if the NAT implementation plays along or there is static port forwarding 
configured.  NATs might filter inbound packets from endpoints that don't 
equal the IP/port to which the host behind the NAT originally sent 
packets when the NAT mapping was created (address and port-dependent 
filtering in terms of RFC 4787).  I guess the same could happen in 
scenarios where there are no NATs but restrictive firewalls that block 
traffic from endpoints to which the host behind the firewall did not 
send traffic.

Regards,
Tobias

v2.23.0 | Report a Bug | By Email