Re: NAT-T, IKEv2, Vendor ID, port floating??

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Francis Dupont wrote:

>  In your previous mail you wrote:
> 
>    >  - is the support of NAT detection mandatory? For some other reasons
>    >    (implicit peer address protection) I stronly believe it should be
>    >    mandatory when the IKE_SA_INIT is done over port 500 and to answer
>    >    the next point it should be mandatory in all cases.
>    
>    It is mandatory to be able to ignore those packets. It is not
>    mandatory to be able to reply to them. 
>    
> => in my idea to make NAT detection mandatory there are two parts:
>  - the initiator must put NAT_DETECTION_* notifications in the
>    first message.
>  - the responder must reply to the NAT_DETECTION_* notifications.
> I agree this is a change from the current specs.

I would hesitate to make NAT detection mandatory, just for patenting
reasons. I'm not saying there is necessarily any problem with that,
but I remember that detection of a NAT was one thing being claimed by
an SSH patent application. So, if we assume that there are relatively
paranoid people out there who are paranoid about the patent issues, they
wouldn't want NAT detection being mandatory.

(If that didn't contain enough disclaimers) I would point out that it's
a long while since I read those patent applications, and I've no idea
about their current status. Nor do I care about their status.

Ari

-- 
I play it cool and dig all jive,
  that's the reason I stay alive.
   My motto as I live and learn,
    is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise