[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT-T, IKEv2, Vendor ID, port floating??

To: Yoav Nir <ynir@CheckPoint.com>
Subject: Re: NAT-T, IKEv2, Vendor ID, port floating??
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Date: Wed, 06 Aug 2003 16:06:37 +0300
CC: "'ietf ipsec'" <ipsec@lists.tislabs.com>
In-Reply-To: <00f401c35c20$b9225650$292e1dc2@YnirNew>
Organization: F-Secure Corporation
References: <00f401c35c20$b9225650$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

I don't have any disagreement with what you said, but you shouldn't have
deleted Francis's comment, for which I was replying to:
> => in my idea to make NAT detection mandatory there are two parts:
>  - the initiator must put NAT_DETECTION_* notifications in the
>    first message.
>  - the responder must reply to the NAT_DETECTION_* notifications.
> I agree this is a change from the current specs.

Ari


Yoav Nir wrote:

> The minimum support mandated by the draft is to ignore NAT detection.  I
> doubt if even the most paranoid would be afraid of SSH suing over ignoring
> notification payloads with message type 24582 and 24583.
> 
> If we interpret the draft as requiring you to calculate the hash and verify
> it, there may be something to worry about, but as long as we agree that
> ignoring is acceptable, I don't see the problem with making support
> mandatory.  All we want to do is to make sure that even if you don't support
> NAT traversal, you won't be unable to interoperate just because the peer
> sends the notification.
> 
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Ari Huttunen
> Sent: Wednesday, August 06, 2003 12:23 PM
> To: Francis Dupont
> Cc: Tero Kivinen; tomhu@cisco.com; ietf ipsec
> Subject: Re: NAT-T, IKEv2, Vendor ID, port floating??
> 
> 
> I would hesitate to make NAT detection mandatory, just for patenting
> reasons. I'm not saying there is necessarily any problem with that,
> but I remember that detection of a NAT was one thing being claimed by
> an SSH patent application. So, if we assume that there are relatively
> paranoid people out there who are paranoid about the patent issues, they
> wouldn't want NAT detection being mandatory.
> 
> (If that didn't contain enough disclaimers) I would point out that it's
> a long while since I read those patent applications, and I've no idea
> about their current status. Nor do I care about their status.
> 
> Ari
> 

-- 
I play it cool and dig all jive,
  that's the reason I stay alive.
   My motto as I live and learn,
    is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise

References:
- RE: NAT-T, IKEv2, Vendor ID, port floating??
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: RE: NAT-T, IKEv2, Vendor ID, port floating??
Next by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Prev by thread: RE: NAT-T, IKEv2, Vendor ID, port floating??
Next by thread: I-D ACTION:draft-ivancic-layer3-encryptors-00.txt
Index(es):
- Date
- Thread