Re: question about draft-ietf-ipsec-nat-t-ike-07

[Tom Hu <tomhu@cisco.com>]

Tero Kivinen wrote:
> 
> Tom Hu writes:
> > Question about NAT-T with v2. I read v2 RFC, my impression it does
> > not allow to send or process notification message until the peer is
> > authenticated.
> 
> I haven't found out any such restriction in the draft. It says that
> status notifications can be added to any packet. Also those
> notifications in the IKE_SA_INIT packets are also authenticated as the
> packets are included in the AUTH hash.

Please see this paragraph in 11.txt

1.4 The INFORMATIONAL Exchange

   At various points during the operation of an IKE_SA, peers may desire
   to convey control messages to each other regarding errors or
   notifications of certain events. To accomplish this IKE defines an
   INFORMATIONAL exchange.  INFORMATIONAL exchanges MAY ONLY occur after
   the initial exchanges and are cryptographically protected with the
   negotiated keys.

Here initial exchange includes 1 to 4 messages.
And by the way, IKE_SA_INIT message does not have AUTH payload. AUTH
payload is sending at #3 and #4 messages.

> 
> > It also means that we only can send or process Notify
> > message after 4th messages. It seems we should send NAT-D in msg #1
> > and #2, is it against ikev2 protocol?
> 
> The IKEv2 NAT-T clearly says that those NAT_DETECTION_*_IP
> notifications are included in the IKE_SA_INIT exchange.
> 
> > Or we have some selection of Notification message can allow before
> > 4th message?
> --
> kivinen@ssh.fi
> SSH Communications Security                  http://www.ssh.fi/
> SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/