[64063] in North American Network Operators' Group
Re: Fw: Re: Block all servers?
daemon@ATHENA.MIT.EDU (Crist Clark)
Wed Oct 15 17:17:24 2003
Date: Wed, 15 Oct 2003 14:11:12 -0700
From: Crist Clark <crist.clark@globalstar.com>
To: Chris Brenton <cbrenton@chrisbrenton.org>
Cc: Fred Heutte <aoxomoxoa@sunlightdata.com>, nanog@merit.edu
Reply-To: crist.clark@globalstar.com
Errors-To: owner-nanog-outgoing@merit.edu
Chris Brenton wrote:
[snip]
> True this only works for one to one NAT. Many to one NAT will still
> break IPSec, even if ESP is used alone. This is a functionality issue
> however (IPSec using a fixed source port of 500), rather than a
> "preventing packet modification to thwart man-in-the-middle attacks"
> thing.
IPsec does not use port 500. IKE uses port 500/udp. IKE is an additional
protocol that is widely used to establish SAs and provide keying
materials for IPsec, but it is not required for a compliant IPsec
implementation. In addition, most IKE implementations do not care
whether the source port on a IKE packet is 500/udp or not.
As I explained previously, ESP alone is un-NAT able in the general
case due to the fact that it is a peer-to-peer protocol, not client-to-
server, and the SPIs in either direction are unrelated.
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387
