[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New draft-ietf-ipsec-nat-t-ike-06 draft

To: ipsec@lists.tislabs.com
Subject: New draft-ietf-ipsec-nat-t-ike-06 draft
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 28 May 2003 17:53:34 +0300
Organization: SSH Communications Security Oy
Sender: owner-ipsec@lists.tislabs.com

I updated the NAT-T draft (the old one was about to expire next week).
The changes to old version are:

- Updated references.

- Changed some words in following paragraph ({+this is added text+}
  [-this was removed-]): 
----------------------------------------------------------------------
If there is no NAT between then the first NAT-D payload {+received+}
should match one of the local NAT-D [-packet-] {+payloads+} (i.e
[-the-] local NAT-D payloads this host is sending out), and the one of
the other NAT-D payloads must match the remote ends IP address and
port. If the first check fails (i.e first NAT-D payload does not match
any of the local IP addresses and ports), then it means that there is
dynamic NAT between, and this end should start sending keepalives as
defined in the [-[Hutt02].-] {+[Hutt03].+}
----------------------------------------------------------------------

- Replaced

----------------------------------------------------------------------
It is not normally useful to propose both normal tunnel or transport
mode and UDP-Encapsulated modes. If there is a NAT box between normal
tunnel or transport encapsulations may not work, and if there is no NAT
box between, there is no point of wasting bandwidth by adding UDP
encapsulation of packets. Because of this initiator SHOULD NOT include
both normal tunnel or transport mode and UDP-Encapsulated-Tunnel or UDP-
Encapsulated-Transport in its proposals.
----------------------------------------------------------------------

with this:

----------------------------------------------------------------------
It is not normally useful to propose both normal tunnel or transport
mode and UDP-Encapsulated modes.

If there is a NAT box between normal tunnel or transport encapsulations
may not work and in that case UDP-Encapsulation SHOULD be used.

If there is no NAT box between, there is no point of wasting bandwidth
by adding UDP encapsulation of packets, thus UDP-Encapsulation SHOULD
NOT be used.

Also initiator SHOULD NOT include both normal tunnel or transport mode
and UDP-Encapsulated-Tunnel or UDP-Encapsulated-Transport in its
proposals.
----------------------------------------------------------------------

I.e say clearly that if there is NAT between then NAT-T SHOULD be used
and if no NAT is detected then NAT-T SHOULD NOT be used. The old text
was not clear on this point.

This document should now be finished (we only need to modify the VID
when we know the RFC number).
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Prev by Date: Re: IKE_SA SPI with a changed address
Next by Date: crypto algorithm documents for IKEv2
Prev by thread: IKE_SA SPI with a changed address
Next by thread: crypto algorithm documents for IKEv2
Index(es):
- Date
- Thread