Re: SOI QUESTION 6.1.c-6.2

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Theodore Ts'o wrote:
> 6.1.C) Should SOI format be roughly the same as IKEv1?  (See
> discussion in section 6.4, re: code preserving)
> 

> 6.2 Port number
> 
> 6.2.A) Should SOI use the same port as IKEv1?  (See discussion in
> soi-features-01 the tradeoffs in this question).
> 

Instead of answering, let me pose another question here:

  Should SOI support NAT-traversal as defined by the following documents
  - draft-ietf-ipsec-udp-encaps-03.txt
  - draft-ietf-ipsec-nat-t-ike-03.txt    ?

The reason this is relevant is that if the answer is 'yes', the method
specified in these documents can be simplified. I.e. the documents describe
port floating in which the IKE changes the UDP port and IKE message
formatting to include a non-ESP marker. The way to simplify this, should
SOI choose to support this, would be 
a) choose a different port than 500
b) always put a non-ESP marker in the SOI packet, so it's always 'floated'

This would simplify the protocol from using two ports to using just one, 
but with the cost of 4 bytes per every SOI packet, with or without NAT.

Ari

-- 

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise