[Openswan dev] NAT-T in the face of changing IPs

Michael Richardson mcr at xelerance.com
Thu Jul 26 14:44:34 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Michael" == Michael Richardson <mcr at sandelman.ca> writes:
    Michael> Tero Kivinen wrote:
    >>> I.e. a different UDP port.  Apparently, this is a problem for openswan.
    >> 
    >> I guess you mean to say different IP-address, not port. The port is of
    >> course different as it is behind NAT.

    Michael> Yes, that's what I meant.

    >>> Was this a case that I just didn't code for, or is this a gap in the
    >>> specification? 
    >> 
    >> NAT-T specs do say that it can come from different IP-address. It even
    >> specifies that the IP address can change on the fly.

    Michael> Yes, I just didn't expect it to change until after the phase 1 was 
    Michael> complete. I.e that it would change later on.

    Michael> I agree that this behaviour is acceptable. I think I'll have code tested 
    Michael> soon for this tonight.

  Test case nat-pluto-07 (will be in 2.5.15) simulates the experience I
had in the hotel. Once it passed, I upgraded two of my machines, one a
2.6 (XenU), and the other a 2.4.31 machine to 2.5.15-prerelease and they
seemed to work.

  Of course, the IETF hotel network was much less busy, and it didn't do
different NAT mappings for me at 4am when I tested, so couldn't be sure
it worked in real life. But the test case definitely failed the way I
expected until I fixed various things.

  Likely most of the changes in nat_traversal.c will port back to 2.4
easily, if someone needs that. I'm frankly surprised we have never run
into this in the wild before. Probably, people have, but didn't know why
their phase 1 didn't complete.

  The hotel uses a "Nomadix", which is linux 2.4 kernel based, AFAIK.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRqjrkICLcPvd0N1lAQKOeggAgHhjONJyw8vjfWMNvs04BNHCaT8FM2ZX
QHDWde0VbMrSUWyA/MIBLnPdtk5a2rDtiygGe3RpETLcD2Rske/q0zKLyM9BXOiX
9snyhA7Nt3MGtIeKzwdJg9cOD8sazLI1Y+alMEAlVIl3BHfM0yTNuSmIIq1CbvkO
U0XOF8TsPnQL7orcl85iqFrjLFgwDts6ZYoH6lB1rUEyGZrtZfrS20Fe3Fsy7BuT
MWBjQKTMKfVfKlZfgoMVqAZzTHnZNg1WKzdBHyDxIPsiyW1e7d/nzKViQW0QMIaa
7OBfYn9nNMcwUxZYBd8cldJhIiU/ZhtEWlwXPrGD7wAzciUNyhG9hQ==
=huh6
-----END PGP SIGNATURE-----


More information about the Dev mailing list