[SAFE] IKE/IPsec with STUN Control
"Dan Wing" <dwing@cisco.com> Fri, 12 October 2007 18:08 UTC
Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgOwE-0001FS-Ti; Fri, 12 Oct 2007 14:08:42 -0400
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1IgOwD-0001AL-Pm for safe-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 14:08:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgOwD-000151-5I for safe@ietf.org; Fri, 12 Oct 2007 14:08:41 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgOwB-0007LX-B2 for safe@ietf.org; Fri, 12 Oct 2007 14:08:41 -0400
X-IronPort-AV: E=Sophos;i="4.21,267,1188802800"; d="scan'208";a="23014943"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 12 Oct 2007 11:08:38 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l9CI8cpw016501; Fri, 12 Oct 2007 11:08:38 -0700
Received: from dwingwxp01 ([10.32.240.195]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l9CI8cZp001367; Fri, 12 Oct 2007 18:08:38 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Rémi Denis-Courmont' <remi.denis-courmont@nokia.com>
References: <042001c80b74$509c46b0$c3f0200a@cisco.com> <200710111357.44688.remi.denis-courmont@nokia.com>
Date: Fri, 12 Oct 2007 11:08:37 -0700
Message-ID: <0e6401c80cfa$e9fd0650$c3f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <200710111357.44688.remi.denis-courmont@nokia.com>
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3138
Thread-Index: AcgL9YsutvTZGQ/6R66ac1MMABSL+QBAt16g
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1914; t=1192212518; x=1193076518; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20IKE/IPsec=20with=20STUN=20Control |Sender:=20; bh=ljHI1c4TqaW1EnJXTySt8j8eIFcE5w1UG/yUqUH/Pg8=; b=ko6CRpDp6iibbAvL759pL5dNEL7uhSZ4FRp7sFqv2ie1Ib5oJhR5JNB6Urh2slICIgt2yYi3 1zsZKcF6uZhwmWxMriDcGntSWJkleQQXnN+OAAh3ybpRdi14CaWjgHFc4MvixMuRoff/QH02It 9VB15wLm+EBpN7AfNtxR58zoI=;
Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc: safe@ietf.org
Subject: [SAFE] IKE/IPsec with STUN Control
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org
> As far as I understand, STUN in general, and STUN in > particular, can be used for any UDP-based always-on protocol. > ESP-in-UDP, TEREDO, perhaps some long usages of RTP (such > as MIDI-over-RTP(?) or RTSP-based streaming), proprietary > UDP overlays (not giving any names)... I looked at how IKE learns of an on-path NAT, and unfortunately the IP addresses are hashed in the IKE exchange. This prevents the IKE endpoint from learning the IP address seen by its IKE peer, and thus prevents the IKE endpoint from learning its own public IP address. To use STUN Control, you need to learn that public IP address. I see two approaches: * It is possible to multiplex STUN, IKE, and IPsec ESP on the same UDP port. IKE-over-UDP starts with 4 bytes of zeros, IPsec ESP starts with the 32-bit SPI, and STUN has known bits in its header (first 16 bits indicate a STUN Request, Response, or Indication, and has a fixed magic cookie in bits 32-64) and the STUN SHA-1 fingerprint attribute. While not ideal, it would be possible for the IKE peers to demultiplex STUN on that same UDP port so that they could learn the IP address as seen by the other peer and use STUN Control to adjust their timings. * Alternatively, the IKE peer (VPN concentrator) could run a normal STUN server on the STUN port (UDP/3478) if we make the (reasonable) assumption that the same NATs would be be traversed for traffic to UDP/500, UDP/4500, and UDP/3478. This wouldn't require changes to VPN concentrator code. I would lean towards the second approach. -d > And then, there is the relation to ICE in finding > "intermediary" NAT mappings in nested NATs scenarios. > > At the same time, I thought SIP Outbound was going to > recommend TCP, so that > it could end up being a less likely "customer" of STUN control?? > > -- > Rémi Denis-Courmont > _______________________________________________ SAFE mailing list SAFE@ietf.org https://www1.ietf.org/mailman/listinfo/safe
- [SAFE] nat-control-stun-usage-04 Dan Wing
- Re: [SAFE] nat-control-stun-usage-04 Rémi Denis-Courmont
- RE: [SAFE] nat-control-stun-usage-04 Markus.Isomaki
- Re: [SAFE] nat-control-stun-usage-04 Philip Matthews
- RE: [SAFE] nat-control-stun-usage-04 Dan Wing
- [SAFE] IKE/IPsec with STUN Control Dan Wing