IETF Logo Mail Archive

Re: [Seamoby] CAR DiscoveryProtocol Requirements...

"Hemant Chaskar" <hchaskar@hotmail.com> Fri, 11 January 2002 22:26 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01992 for <seamoby-archive@odin.ietf.org>; Fri, 11 Jan 2002 17:26:45 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA18670; Fri, 11 Jan 2002 17:06:57 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id RAA18643 for <seamoby@optimus.ietf.org>; Fri, 11 Jan 2002 17:06:55 -0500 (EST)
Received: from hotmail.com (f126.law7.hotmail.com [216.33.237.126]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA01411 for <seamoby@ietf.org>; Fri, 11 Jan 2002 17:06:52 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 11 Jan 2002 14:06:25 -0800
Received: from 63.78.179.5 by lw7fd.law7.hotmail.msn.com with HTTP; Fri, 11 Jan 2002 22:06:25 GMT
X-Originating-IP: [63.78.179.5]
From: Hemant Chaskar <hchaskar@hotmail.com>
To: vijayd@iprg.nokia.com, hesham.soliman@era.ericsson.se
Cc: seamoby@ietf.org
Subject: Re: [Seamoby] CAR DiscoveryProtocol Requirements...
Date: Fri, 11 Jan 2002 22:06:25 -0000
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"
Message-ID: <F126sIjRBhOUi2S1JXs0001a193@hotmail.com>
X-OriginalArrivalTime: 11 Jan 2002 22:06:25.0524 (UTC) FILETIME=[36313B40:01C19AEC]
Sender: seamoby-admin@ietf.org
Errors-To: seamoby-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Context Transfer, Handoff Candidate Discovery, and Dormant Mode Host Alerting <seamoby.ietf.org>
X-BeenThere: seamoby@ietf.org

Hi,

Be there RFC or not, this discussion is not based on the relevant issue in 
the first place. The issue raised is:

"can you make IKE create an SA between two nodes (one having a public 
address and another having a private address)?".

SA between public to private routers need not be done by direct IKE between 
public and private peers. In the case of public to private SA, SA can be 
created (say using IKE) between public router to border router of private 
router. Border router to private router SA can be taken for granted. There 
are various ways to do the latter including static configuration. Such a 
concatenation of two SAs will guarantee SA between public and private 
routers, which is what we want.

Hence, ability or otherwise of creating direct IKE between public and 
private is not at all the sumbling block behind the private address space 
requirement.

If there is any genuine stumbing block in this requirement, please let me 
know it.


Hemant


>From: Vijay Devarapalli <vijayd@iprg.nokia.com>
>To: "Hesham Soliman (ERA)" <hesham.soliman@era.ericsson.se>
>CC: seamoby@ietf.org
>Subject: Re: [Seamoby] CAR DiscoveryProtocol Requirements...
>Date: Fri, 11 Jan 2002 10:37:49 -0800
>
>"Hesham Soliman (ERA)" wrote:
> >
> > [reply for a very old mail]
> >
> >   > can you make IKE create an SA between two nodes (one having
> >   > a public address and another having a private address)?
> >
> > => Yes you can. There are IKE extensions for this.
>
>which RFC??
>
>---------------
>
>from Aboba's draft draft-ietf-ipsec-nat-reqts-00.txt
>
>c) Incompatibility between IKE address identifiers and NAT.
>    Where IP addresses are used as identifiers in IKE MM [7]
>    or QM, modification of the IP source or destination
>    addresses by NATs or reverse NATs will result in a
>    mismatch between the identifiers and the addresses in the
>    IP header. As described in [7], IKE implementations are
>    required to discard such packets.
>
>    In order to avoid use of IP addresses as IKE MM and QM identifiers,
>    userIDs and FQDNs can be used instead. Where user authentication
>    is desired, an ID type of ID_USER_FQDN can be used, as described in
>    [5]. Where machine authentication is desired, an ID type of ID_FQDN
>    can be used. In either case it is necessary to verify that the
>    proposed identity matches that enclosed in the certificate.
>    However, while use of USER_FQDN or FQDN identity types is possible
>    within IKE, there are usage scenarios (e.g. SPD entries
>    describing subnets) that cannot be accommodated this way.
>
>------------------
>
>However there are a couple of internet drafts in the IPSec WG
>dealing with this. Hopefully they will have a solution soon.
>
>If I am missing something, let me know.
>
>Vijay
>
>
> > I'm obviously not interested in anything involving
> > private addresses, but your point is incorrect.
> >
> > Hesham
>
>_______________________________________________
>Seamoby mailing list
>Seamoby@ietf.org
>https://www1.ietf.org/mailman/listinfo/seamoby


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


_______________________________________________
Seamoby mailing list
Seamoby@ietf.org
https://www1.ietf.org/mailman/listinfo/seamoby

v2.23.0 | Report a Bug | By Email