ike source port (was: issues with IKE that need resolution)
Gabriel.Montenegro@Eng.Sun.Com Wed, 16 September 1998 08:19 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id EAA14281 for ipsec-outgoing; Wed, 16 Sep 1998 04:19:01 -0400 (EDT)
From: Gabriel.Montenegro@Eng.Sun.Com
Date: Wed, 16 Sep 1998 01:36:14 -0700
Message-Id: <199809160836.BAA08003@hsmpka.eng.sun.com>
To: ipsec@tis.com
Reply-To: gab@Eng.Sun.Com
X-Mailer: Sun NetMail 2.1.6
Subject: ike source port (was: issues with IKE that need resolution)
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The issue is: Is it ok for the source port for IKE to be something other than port 500? Hopefully it is ok, as this eases ipsec across NAT boxes, for example. I asked several ipsec-ers this question in Chicago, but there seems to be no clear answer. ISAKMP specifies that 500 must be supported on both source and destination. However, it does not say that 500 is the only port number possible. Allowing the source port to vary does not seem to have security implications, because source and destination ports are already included in the hash. What do most implementations do when they get an ike packet whose source port is not 500? Of course, the same question applies to the destination port, but at least in the soho scenario, an unconstrained source port is what's important (assuming the clients behind the "nat" box are the initiators of ike sessions with legacy ike responders out on the internet). Requiring source port to always be set to 500 means that the "nat/nar" box would have to have a pool of addresses to lend out to internal clients. The very common soho case in which the "nat/nar" box has only one ip address (perhaps obtained dynamically from its ISP) would not be supported. ------------------ More info: I've been thinking about enabling IPSEC (and others) across intermediate boxes (NATs, proxies, gateways, whatever). My proposal on how to do it is called NAR (negotiated address reuse): draft-montenegro-aatn-nar-00.txt The chicago presentation is available as http://playground.sun.com/~gab/talks/nar-ietf42.{PDF,ppt} -gabriel
- ike source port (was: issues with IKE that need r… Gabriel.Montenegro
- Re: ike source port (was: issues with IKE that ne… Matt Crawford
- Re: ike source port (was: issues with IKE that ne… Pyda Srisuresh
- Re: ike source port (was: issues with IKE that ne… bmanning
- Re: ike source port (was: issues with IKE that ne… Shawn Mamros
- Re: ike source port (was: issues with IKE that ne… Patrice Calhoun
- Re: ike source port (was: issues with IKE that ne… Pyda Srisuresh
- Re: ike source port (was: issues with IKE that ne… bmanning
- Re: ike source port (was: issues with IKE that ne… Pyda Srisuresh
- Re: ike source port (was: issues with IKE that ne… Gabriel Montenegro
- Re: ike source port (was: issues with IKE that ne… Gabriel Montenegro
- Re: ike source port (was: issues with IKE that ne… Gabriel Montenegro