Re: question about draft-ietf-ipsec-nat-t-ike-07

[Tero Kivinen <kivinen@ssh.fi>]

Tom Hu writes:
> Question about NAT-T with v2. I read v2 RFC, my impression it does
> not allow to send or process notification message until the peer is
> authenticated.

I haven't found out any such restriction in the draft. It says that
status notifications can be added to any packet. Also those
notifications in the IKE_SA_INIT packets are also authenticated as the
packets are included in the AUTH hash. 

> It also means that we only can send or process Notify
> message after 4th messages. It seems we should send NAT-D in msg #1
> and #2, is it against ikev2 protocol?

The IKEv2 NAT-T clearly says that those NAT_DETECTION_*_IP
notifications are included in the IKE_SA_INIT exchange. 

> Or we have some selection of Notification message can allow before
> 4th message?
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/