RE: Question about draft-ietf-ipsec-nat-t-ike-06.txt.

["Jesse Alpert" <jalpert@CheckPoint.com>]

Hi,

Thanks for your reply, but I was referring to the phase 2 negotiation (where
NAT-OA payloads are used). I understand the phase1 negotiation using NAT-D
payloads.

My question is: Given that the sender may not know his own IP address, the
draft specifies that in phase 1 he should send multiple NAT-D payloads
corresponding to all of his possible IP addresses.
- What is the sender supposed to do in phase 2 in this case. What address
should he specify in his NAT-OA payload. (Is there a relation between the
NAT-OA content and the Quick Mode ID payload?)

Thanks again,
Jesse

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Joshua Graessley
Sent: Tuesday, June 24, 2003 11:16 PM
To: Jesse Alpert
Cc: ipsec@lists.tislabs.com; 'Tero Kivinen'
Subject: Re: Question about draft-ietf-ipsec-nat-t-ike-06.txt.



On Tuesday, June 24, 2003, at 10:12, Jesse Alpert wrote:

> Hi,
>
> In section 3.2 of the nat-t draft (version 06) it says:
> "If the sender of the packet does not know his own IP address ...
> he can include multiple ..."
>
> But in section 5.2. - Sending the original source and destination
> addresses,
> there is no discussion about this problem.
>
> Question: If the sender of the packet does not know his own IP address
> what
> address is he supposed to put in his NAT-OA payload?
>
> What am I missing?

I believe this is done to handle the case where a multihomed host may
send from a number of addresses. The IKE implementation may not know
which address will be used to send the packet, so it may include a nat
detection payload for each address. When the packet is received, if
none of the nat detection payloads match the address the packet was
from, then a NAT is there.

The sender must know the possible IP addresses. It may not know the
specific address that will be picked by the stack.

-josh