Re: draft-ietf-ipsec-ikev2-05.txt comments

[Tero Kivinen <kivinen@ssh.fi>]

Francis Dupont writes:
>    I do not think there are real world cases where the responder is
>    behind NAT, especialy dynamic NATs :-)
>    
> => I can imagine as many as you are ready to read (:-), for instance

I can imagine lots of things, but that does not make it real world
case. 

> one can use some kind of callback mechanism in order to enforce the
> side of the initiator (firewalls are good reasons to do that).

Where is that used in real world NOW?

> To summarize, I can't see why we refuse the opportunity to support
> any position for the NAT.

I do think NAT can be in any position with current draft already, so
there is no need to make the protocol more complicated because of some
imagined cases.

For example the callback mechanism would propably want to do the
initial authentication before calling back, thus in the current
protocol the original responder will already know the mapping for the
port 4500, and there are NAT keepalives already going for that port,
so it can directly connect to that port and use that as callback
address. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/