NAT Traversal in IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

[[ Please note that I changed the subject line. Everyone: if you want 
to comment on what was said at the meeting, please make a better 
subject line for your thread! ]]

At 12:46 PM +0200 11/26/02, Ari Huttunen wrote:
>Paul Hoffman / VPNC wrote:
>>IKEv2 status discussion - Charlie Kaufman
>>     New draft in October
>>     Changed many things that became controversial:
>>         Suites replaced ala carte
>>         Went to always 4 messages
>>         Simplified traffic selector (no one has complained)
>>     Other controversies
>>         NAT traversal
>>         Tunnel vs. transport negotiation
>>         Key sizes and algorithms
>>         Legacy auth not covered
>>         Revised identity proposal
>>     NAT Traversal
>>         Not in IKEv1, but now there is a draft
>>         Should the new extensions be included in IKEv2?
>>     Tunnel vs. transport
>>         No negotiation in IKEv2
>>         Charlie needs to understand why this is needed
>>         If inner and outer IP addresses are the same,
>>             MAY use transport
>
>IMHO, NAT traversal is currently unnecessarily complicated.
>If we can imagine tweaking some things that we could not tweak
>when specifying it for IKEv1, we could make it simpler.
>I would myself throw out transport mode, and specify only
>tunnel mode for NAT traversal. I would also make IKEv2 always
>floated, so we can get rid of the ugly part of changing
>a protocol from one port to another.

Just to be clear, are you saying that the port for IKEv2 should 
always be floated even if NAT-traversal is not negotiated?

--Paul Hoffman, Director
--VPN Consortium