IETF Logo Mail Archive

RE: [Seamoby] CAR DiscoveryProtocol Requirements...

"Qiang Zhang" <qzhang@ecutel.com> Fri, 11 January 2002 22:49 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA02457 for <seamoby-archive@odin.ietf.org>; Fri, 11 Jan 2002 17:49:50 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA19746; Fri, 11 Jan 2002 17:39:13 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA19717 for <seamoby@optimus.ietf.org>; Fri, 11 Jan 2002 17:39:11 -0500 (EST)
Received: from EXCHANGE01.domain.ecutel.com ([65.201.154.134]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA02299 for <seamoby@ietf.org>; Fri, 11 Jan 2002 17:39:08 -0500 (EST)
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: [Seamoby] CAR DiscoveryProtocol Requirements...
Content-Type: text/plain; charset="iso-8859-1"
Date: Fri, 11 Jan 2002 17:38:35 -0500
Message-ID: <AF2378CBE7016247BC0FD5261F1EEB21068C2C@EXCHANGE01.domain.ecutel.com>
Thread-Topic: [Seamoby] CAR DiscoveryProtocol Requirements...
Thread-Index: AcGa7a9SfVfHUOBmQOq4iIiBc64j3AACeNEQ
From: Qiang Zhang <qzhang@ecutel.com>
To: Hemant Chaskar <hchaskar@hotmail.com>
Cc: seamoby@ietf.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by optimus.ietf.org id RAA19718
Sender: seamoby-admin@ietf.org
Errors-To: seamoby-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Context Transfer, Handoff Candidate Discovery, and Dormant Mode Host Alerting <seamoby.ietf.org>
X-BeenThere: seamoby@ietf.org
Content-Transfer-Encoding: 8bit

Hi, 

This sounds more an IPsec issue. In reality, it does happen that a public IP needs to IKE to a private IP behind a perimeter gateway, the private IP is non-routable unless NAT mapping is performed. 

The solution for sake of saving headache can be to introduce additional tunneling beneath the IKE, such as UDP encapsulation.

2 SAs can probably achieve a similiar effect in a lot scenarios, but unfortunately it also somewhat defeats the peer2peer purpose for certain usages.

Sorry if am actually off topic...

Qiang


Be there RFC or not, this discussion is not based on the relevant issue in 
the first place. The issue raised is:

"can you make IKE create an SA between two nodes (one having a public 
address and another having a private address)?".

SA between public to private routers need not be done by direct IKE between 
public and private peers. In the case of public to private SA, SA can be 
created (say using IKE) between public router to border router of private 
router. Border router to private router SA can be taken for granted. There 
are various ways to do the latter including static configuration. Such a 
concatenation of two SAs will guarantee SA between public and private 
routers, which is what we want.

Hence, ability or otherwise of creating direct IKE between public and 
private is not at all the sumbling block behind the private address space 
requirement.

If there is any genuine stumbing block in this requirement, please let me 
know it.


Hemant


>From: Vijay Devarapalli <vijayd@iprg.nokia.com>
>To: "Hesham Soliman (ERA)" <hesham.soliman@era.ericsson.se>
>CC: seamoby@ietf.org
>Subject: Re: [Seamoby] CAR DiscoveryProtocol Requirements...
>Date: Fri, 11 Jan 2002 10:37:49 -0800
>
>"Hesham Soliman (ERA)" wrote:
> >
> > [reply for a very old mail]
> >
> >   > can you make IKE create an SA between two nodes (one having
> >   > a public address and another having a private address)?
> >
> > => Yes you can. There are IKE extensions for this.
>
>which RFC??
>
>---------------
>
>from Aboba's draft draft-ietf-ipsec-nat-reqts-00.txt
>
>c) Incompatibility between IKE address identifiers and NAT.
>    Where IP addresses are used as identifiers in IKE MM [7]
>    or QM, modification of the IP source or destination
>    addresses by NATs or reverse NATs will result in a
>    mismatch between the identifiers and the addresses in the
>    IP header. As described in [7], IKE implementations are
>    required to discard such packets.
>
>    In order to avoid use of IP addresses as IKE MM and QM identifiers,
>    userIDs and FQDNs can be used instead. Where user authentication
>    is desired, an ID type of ID_USER_FQDN can be used, as described in
>    [5]. Where machine authentication is desired, an ID type of ID_FQDN
>    can be used. In either case it is necessary to verify that the
>    proposed identity matches that enclosed in the certificate.
>    However, while use of USER_FQDN or FQDN identity types is possible
>    within IKE, there are usage scenarios (e.g. SPD entries
>    describing subnets) that cannot be accommodated this way.
>
>------------------
>
>However there are a couple of internet drafts in the IPSec WG
>dealing with this. Hopefully they will have a solution soon.
>
>If I am missing something, let me know.
>
>Vijay
>
>
> > I'm obviously not interested in anything involving
> > private addresses, but your point is incorrect.
> >
> > Hesham
>
>_______________________________________________
>Seamoby mailing list
>Seamoby@ietf.org
>https://www1.ietf.org/mailman/listinfo/seamoby


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


_______________________________________________
Seamoby mailing list
Seamoby@ietf.org
https://www1.ietf.org/mailman/listinfo/seamoby

_______________________________________________
Seamoby mailing list
Seamoby@ietf.org
https://www1.ietf.org/mailman/listinfo/seamoby

v2.23.0 | Report a Bug | By Email