Tero Kivinen wrote: > pasi.ero...@nokia.com writes: > > - Section 2.23.1: If the responder doesn't find SPD entry for > > transport mode with the modified traffic selectors, and does a lookup > > with the original selectors, if it finds an entry for transport mode, > > can it use it? > > I do not think it can use the transport mode SA using original > selectors. This of course depends which traffic selectors are used > when installing the SA data to SAD. If those original selectors are > used then incoming packets will be dropped because they do not match > the selectors for the SA (RFC4301 section 5.2, step 5).
Actually, the incoming packets could actually match the selectors if they somehow take a different "route" than the IKEv2 packets, and bypass the NAT. (This is what's happening in RFC5555; see below) > If modified selectors is used when installing SA then those selectors > were not matched against the SPD, and this can cause spoofing attacks. I agree this would violate the policy. > > (And would that screw up the initiator processing of > > the reply? > > That again depends which traffic selectors are returned. If original > traffic selectors are returned then initiator do not get information > about the original addresses, thus it cannot do incremental checksum > updating. Also depending what kind of checks initiator does, it might > cause initiator to fail the reply processing. > > > Unfortunately,this question is relevant for RFC 5555...) > > What kind of things does the RFC5555 require? Basically, it's assuming that even if you're running IKEv2 over IPv4 (and that IPv4 address is NATted), you can still negotiate transport mode SAs for IPv6 addresses (which won't get NATted). Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
