IETF Logo Mail Archive

AW: [Pana] PANA and NAT traversal

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Fri, 23 February 2007 13:19 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HKaKY-0003Wz-1U; Fri, 23 Feb 2007 08:19:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HKaKW-0003Vn-PC for pana@ietf.org; Fri, 23 Feb 2007 08:19:20 -0500
Received: from thoth.sbs.de ([192.35.17.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HKaKS-0008ST-UK for pana@ietf.org; Fri, 23 Feb 2007 08:19:20 -0500
Received: from mail2.siemens.de (localhost [127.0.0.1]) by thoth.sbs.de (8.12.6/8.12.6) with ESMTP id l1NDJBrA019931; Fri, 23 Feb 2007 14:19:11 +0100
Received: from mchp771a.ww002.siemens.net (mchp771a.ww002.siemens.net [139.25.131.189]) by mail2.siemens.de (8.12.6/8.12.6) with ESMTP id l1NDJBUw006131; Fri, 23 Feb 2007 14:19:11 +0100
Received: from MCHP7R6A.ww002.siemens.net ([139.25.131.164]) by mchp771a.ww002.siemens.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 23 Feb 2007 14:19:10 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: AW: [Pana] PANA and NAT traversal
Date: Fri, 23 Feb 2007 14:19:10 +0100
Message-ID: <8F6CBC7005099442AECDB784C9E9D7E70181B022@MCHP7R6A.ww002.siemens.net>
In-Reply-To: <D98652D13A2C2142B6D183720067F1FC946DE5@esealmw104.eemea.ericsson.se>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Pana] PANA and NAT traversal
Thread-Index: AcdVkbknocN5mgLjQbOl5AwEHqa49QBuvaqA
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: "Bob Melander (KI/EAB)" <bob.melander@ericsson.com>, pana@ietf.org
X-OriginalArrivalTime: 23 Feb 2007 13:19:10.0954 (UTC) FILETIME=[3493ACA0:01C7574D]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 96d3a783a4707f1ab458eb15058bb2d7
Cc:
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1029886901=="
Errors-To: pana-bounces@ietf.org

Hi Bob, 
 
thanks for your question. See my response inline: 
 

________________________________

	Von: Bob Melander (KI/EAB) [mailto:bob.melander@ericsson.com] 
	Gesendet: Mittwoch, 21. Februar 2007 09:25
	An: pana@ietf.org
	Betreff: [Pana] PANA and NAT traversal
	
	

	I'm new to this list and I have some questions concerning PANA
and NAT traversal. I've been browsing the mail archive and the current
drafts but I still feel uncertain about what the status is.

	What I wonder is pretty straight-forward. Is PANA applicable in
the following two NAT scenarios: 

	1. NAT between PAA and EP 

	+----------+      +--------+         +----+   +-----+   +-----+

	| MN (PaC) |------| Router |---------| EP |---| NAT |---| PAA | 
	+----------+      +--------+         +----+   +-----+   +-----+ 
	                   (One or
	                         several)
. 

	     <=== Bootstrapped IPSec tunnel ===> 

	My understanding is that PANA should work in such a scenario
(I've seen some slide set from IETF62). Correct? Any issues?

	
	[Tschofenig, Hannes] Yes. PANA works in this case.
	 
	
	

	2. NAT between PaC and EP 

	+----------+      +-----+     +--------+         +----+
+-----+     
	| MN (PaC) |------| NAT |-----| Router |---------| EP |---| PAA
| 
	+----------+      +-----+     +--------+         +----+
+-----+ 
	                               (One or
	                                      several)
. 

	       <======== Bootstrapped IPSec tunnel ========> 

	Whether this is also supported I feel unsure about. My
understanding of PANA details is not deep enough. Will PANA work here?

	
	[Tschofenig, Hannes]  PANA also works in this case. Section 6 of
http://www.ietf.org/internet-drafts/draft-ietf-pana-ipsec-07.txt
provides the details. The important point is that the shared secret for
the IKE exchange is based on the ID_KEY_ID rather than the IP address. 
	
	 

	If someone could provide answers to my questions I'd really
appreciate it. 

	
	 

	Ciao

	Hannes

	 

	 

	 Best regards, 

	Bob Melander 





_______________________________________________
Pana mailing list
Pana@ietf.org
https://www1.ietf.org/mailman/listinfo/pana

v2.23.0 | Report a Bug | By Email