[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about draft-ietf-ipsec-nat-t-ike-07
Tom Hu writes:
> Question about NAT-T with v2. I read v2 RFC, my impression it does
> not allow to send or process notification message until the peer is
> authenticated.
I haven't found out any such restriction in the draft. It says that
status notifications can be added to any packet. Also those
notifications in the IKE_SA_INIT packets are also authenticated as the
packets are included in the AUTH hash.
> It also means that we only can send or process Notify
> message after 4th messages. It seems we should send NAT-D in msg #1
> and #2, is it against ikev2 protocol?
The IKEv2 NAT-T clearly says that those NAT_DETECTION_*_IP
notifications are included in the IKE_SA_INIT exchange.
> Or we have some selection of Notification message can allow before
> 4th message?
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/