[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 and NAT traversal
Jayant Shukla wrote:
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]
> > On Behalf Of Ari Huttunen
> Didn't your original draft use RSIP? From the section 6 of your original
> draft (expired Jan 2001), it seems to me that it is based on RSIP
> principle and UDP encapsulation. So you cannot deny a connection to "NAT
> people"! Of course your new drafts have gotten rid of RSIP.
No RSIP was implied in that or any later draft. RSIP requires co-operation
by NAT boxes, and we've assumed that NAT boxes are 'hostile' entities that
don't want to co-operate. It's not that way in some cases, but in a hotel
room type of scenario it will be.
> Why does IKE have to move to another port? This is your kludge which
> forces you to do nasty stuff like this.
It doesn't, that's why it's not specified in the drafts right now. The whole
point is that *IF* IKEv2 moves to a non-500 port, we can optimize
the encapsulation. The reason to move should not be NAT traversal, but other
possible reasons. I'm not claiming there are such, but it seemed to be implied.
> p.s.: BTW, I have notified IETF about your new drafts infringing on our
> intellectual property.
Well, drafts or RFCs do not 'infringe' on patents. Patent applications on
the other hand are not yet even 'intellectual property', they're just
applications. Only products can infringe on patents.
In any case, when I see that statement I can add a generic reference to
it in the encapsulation draft. If it has an affect to the acceptance of
our drafts is not a question for me to worry about.
Ari
--
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise
References: