[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NAT Traversal in IKEv2
[[ Please note that I changed the subject line. Everyone: if you want
to comment on what was said at the meeting, please make a better
subject line for your thread! ]]
At 12:46 PM +0200 11/26/02, Ari Huttunen wrote:
>Paul Hoffman / VPNC wrote:
>>IKEv2 status discussion - Charlie Kaufman
>> New draft in October
>> Changed many things that became controversial:
>> Suites replaced ala carte
>> Went to always 4 messages
>> Simplified traffic selector (no one has complained)
>> Other controversies
>> NAT traversal
>> Tunnel vs. transport negotiation
>> Key sizes and algorithms
>> Legacy auth not covered
>> Revised identity proposal
>> NAT Traversal
>> Not in IKEv1, but now there is a draft
>> Should the new extensions be included in IKEv2?
>> Tunnel vs. transport
>> No negotiation in IKEv2
>> Charlie needs to understand why this is needed
>> If inner and outer IP addresses are the same,
>> MAY use transport
>
>IMHO, NAT traversal is currently unnecessarily complicated.
>If we can imagine tweaking some things that we could not tweak
>when specifying it for IKEv1, we could make it simpler.
>I would myself throw out transport mode, and specify only
>tunnel mode for NAT traversal. I would also make IKEv2 always
>floated, so we can get rid of the ugly part of changing
>a protocol from one port to another.
Just to be clear, are you saying that the port for IKEv2 should
always be floated even if NAT-traversal is not negotiated?
--Paul Hoffman, Director
--VPN Consortium