Hi Paul, One clear change is that updating the address, port info is changed from authenticated packet to integrity protected packet. Does this change is to allow recovery from NAT mapping removal during establishment of IKEv2 SA e.g. with EAP authentication, during retransmission of IKE_AUTH exchange ? If Yes, can we have a explicit say for it?
Regards, Raj On Fri, Feb 5, 2010 at 7:15 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > The last bullet in 2.23 is confusing. A proposed rewrite is: > > Old: > > There are cases where a NAT box decides to remove mappings that are > still alive (for example, the keepalive interval is too long, or the > NAT box is rebooted). To recover in these cases, hosts that do not > support other methods of recovery such as MOBIKE [MOBIKE], and that > are not behind a NAT, SHOULD send all packets (including > retransmission packets) to the IP address and port from the last > valid authenticated packet from the other end (that is, they should > dynamically update the address). A host behind a NAT SHOULD NOT do > this because it opens a possible denial of service attack. Any > authenticated IKE packet or any authenticated UDP- encapsulated ESP > packet can be used to detect that the IP address or the port has > changed. When IKEv2 is used with MOBIKE, dynamically updating the > addresses described above interferes with MOBIKE's way of recovering > from the same situation. See Section 3.8 of [MOBIKE] for more > information. > > New: > > There are cases where a NAT box decides to remove mappings that are > still alive (for example, the keepalive interval is too long, or the > NAT box is rebooted). This will be apparent to a host if it receives > a packet whose integrity protection validates, but has a different > port, address, or both from the one that was associated with the SA > in the validated packet. When such a validated packet is found, a > host that does not support other methods of recovery such as MOBIKE > [MOBIKE], and that is not behind a NAT, SHOULD send all packets > (including retransmission packets) to the IP address and port in the > validated packet, and SHOULD store this as the new address and port > combination for the SA (that is, they SHOULD dynamically update the > address). A host behind a NAT SHOULD NOT do this type of dynamic > address update if a validated packet has different port and/or > address values because it opens a possible denial of service attack > (such as allowing an attacker to break the connection with a single > packet). When IKEv2 is used with MOBIKE, dynamically updating the > addresses described above interferes with MOBIKE's way of recovering > from the same situation. See Section 3.8 of [MOBIKE] for more > information. > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
