North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Fw: Re: Block all servers?
Chris Brenton wrote: [snip] > True this only works for one to one NAT. Many to one NAT will still > break IPSec, even if ESP is used alone. This is a functionality issue > however (IPSec using a fixed source port of 500), rather than a > "preventing packet modification to thwart man-in-the-middle attacks" > thing. IPsec does not use port 500. IKE uses port 500/udp. IKE is an additional protocol that is widely used to establish SAs and provide keying materials for IPsec, but it is not required for a compliant IPsec implementation. In addition, most IKE implementations do not care whether the source port on a IKE packet is 500/udp or not. As I explained previously, ESP alone is un-NAT able in the general case due to the fact that it is a peer-to-peer protocol, not client-to- server, and the SPIs in either direction are unrelated. -- Crist J. Clark email@example.com Globalstar Communications (408) 933-4387