[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rewrite of IKEv2 Section 2.11 Address and Port Agility



Francis,

There seems to be some fundamental differences in the approach that you
take to handling NAT traversal and the approach which is currently in
ikev2.  The approach in ikev2 is substantially similar to what is
in the IKEv1 NAT traversal documents, which were authored by Tero
Kivinen, Brian Swander, Ari Huttunen, and Victor Volpe, and for which
there is implementation experience and a non-trivial amount of testing
with currently deployed NAT boxes.

Your proposals for changing how NAT traversal would work in ikev2 does
not seem to have drawn much resonance with the rest of the working
group.  In particular, your desire to require that the administrators
explicitly declare whether or not NAT traversal should be turned on
seems to be at odds with many other wg participants.  While it is true
that someone on the network path can pretend to be a NAT and redirect
the connection, someone who controls a machine on the network path
between two end points can achieve this easily anyway.  Furthermore,
in the road-warrior scenario, most end-users will not necessarily know
whether or not they are behind a NAT --- and I think most would agree
that it is desireable that users not be forced to know details of how
their ISP is provisioning their network service.

							- Ted