Re: IKEv2 and NAT traversal

[Henry Spencer <henry@spsystems.net>]

On Wed, 12 Dec 2001, Ari Huttunen wrote:
> The second constraint was the attempt to save bandwidth by reducing the amount
> of NAT keepalive packets by using one port, instead of a two port model, like
> I presented in my first draft a year ago...

I'm puzzled by why an optimization attempt -- in my opinion, a severely
misguided one -- is considered a "constraint".  Was there some requirement
on the design which absolutely precluded the extra keepalive traffic?  If
not, then this is *not* a constraint, but merely a preference, which can
and should be sacrificed if it causes more trouble than it's worth (which
it does).

> >   Further, I think that IKE has the right to change things with the cookie
> > values at any time.
> 
> This is an interesting question. I also used to consider a protocol just
> a contract between Ari and Bob, who wish to communicate. However, there's
> Ned in the middle who wishes to 'do stuff' to the protocol while it is
> in transit. If we consider that doing NAT is a valid thing to do, are
> Ari and Bob free to change the protocol so that Ned's implementation fails?

It depends on whether Ned's implementation is relying on undocumented --
and thus *not* promised by contract -- aspects of the protocol.  Nobody
has ever promised that the first four bytes of packets from IKE *and* all
successors to it will be non-zero. 

                                                          Henry Spencer
                                                       henry@spsystems.net

---

References:

• Re: IKEv2 and NAT traversal
• From: Ari Huttunen <Ari.Huttunen@f-secure.com>

---

• Prev by Date: Re: suggestion for JFK
• Next by Date: Re: IKEv2 and NAT traversal
• Prev by thread: Re: IKEv2 and NAT traversal
• Next by thread: Re: IKEv2 and NAT traversal
• Index(es):
  • Main
  • Thread