RE: NAT-T, IKEv2, Vendor ID, port floating??

["Yoav Nir" <ynir@CheckPoint.com>]

The minimum support mandated by the draft is to ignore NAT detection.  I
doubt if even the most paranoid would be afraid of SSH suing over ignoring
notification payloads with message type 24582 and 24583.

If we interpret the draft as requiring you to calculate the hash and verify
it, there may be something to worry about, but as long as we agree that
ignoring is acceptable, I don't see the problem with making support
mandatory.  All we want to do is to make sure that even if you don't support
NAT traversal, you won't be unable to interoperate just because the peer
sends the notification.

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Ari Huttunen
Sent: Wednesday, August 06, 2003 12:23 PM
To: Francis Dupont
Cc: Tero Kivinen; tomhu@cisco.com; ietf ipsec
Subject: Re: NAT-T, IKEv2, Vendor ID, port floating??


I would hesitate to make NAT detection mandatory, just for patenting
reasons. I'm not saying there is necessarily any problem with that,
but I remember that detection of a NAT was one thing being claimed by
an SSH patent application. So, if we assume that there are relatively
paranoid people out there who are paranoid about the patent issues, they
wouldn't want NAT detection being mandatory.

(If that didn't contain enough disclaimers) I would point out that it's
a long while since I read those patent applications, and I've no idea
about their current status. Nor do I care about their status.

Ari