[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie=0
>>>>> "Stephane" == Stephane Beaulieu <stephane@cisco.com> writes:
Derek> For NAT traversal, I think it is eminently ideal for the keying
Derek> and data streams to share a port.. Otherwise you need twice as
Derek> many keepalives to keep the NAT mapping happy.
>>
>> Why do we have to keep the NAT mapping for the IKE stream port alive?
>>
>> It isn't like the "gateway" is going to be able to initiate to the
Stephane> client
>> unless the client cooperates.
Stephane> The gateway might need to initiate a rekey, or even send some sort of
Stephane> keepalive / DPD packet (even though none have been standardized at the
Stephane> moment), or for that fact some sort of Informational message
Stephane> (INVALID SPI?)
The only valid reason is the rekey.
The keepalive will obviously, keep the port alive.
I just do not see the problem.
Running IPsec packets over the same port is just *UGLY*.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
References: