RE: NAT traversal documents: are we close to done?

["William Dixon" <wdixon@windows.microsoft.com>]

There may be a clarification required for how UDP-ESP implementations
should attempt to use this mode to pass through an "IPsec aware NAT",
one that is tracking UDP 500 cookie session state, and for perhaps
several reasons drop the UDP-ESP packets.  

I'd like to discuss one solution after my test results with the authors
first, probably by end of week, then post the detail to the list.  

Interesting our original premise - don't change NATs, and the NATs
changed....  Many of them do this IPSec passthrough mode for the IPSec
tunnel mode clients.  They can obviously change again, but now there's a
generation of NATs out there with this issue.

-----Original Message-----
From: Markus Stenberg [mailto:mstenber@ssh.com] 
Sent: Tuesday, October 30, 2001 11:43 PM
To: ipsec@lists.tislabs.com
Subject: Re: NAT traversal documents: are we close to done?


paul.hoffman@vpnc.org (Paul Hoffman / VPNC) writes:
> Greetings again. The past few weeks have seen new drafts for the two
> main NAT traversal documents, draft-ietf-ipsec-nat-t-ike-01.txt 
> (Negotiation of NAT-Traversal in the IKE and 
> draft-ietf-ipsec-udp-encaps-01.txt (UDP Encapsulation of IPsec 
> Packets). Are there any outstanding issues on them? Might we have 
> these finished soon?

I believe they're done (although we noted later on that our Expires:
header in the draft-ietf-ipsec-nat-t-ike-01 looks amusing, but
apparently it's not checked by anyone ;->).

At least, those are all to-do items related to drafts that I know of
(the IKE draft contains few clarifications and udp-encap draft removed
AH support and had some clarifications).

> --Paul Hoffman, Director
> --VPN Consortium

-Markus

---

• Prev by Date: Flag Field of ISAKMP header
• Next by Date: son-of-ike latest version?
• Prev by thread: Flag Field of ISAKMP header
• Next by thread: son-of-ike latest version?
• Index(es):
  • Main
  • Thread