[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT traversal and refreshes

To: David Wierbowski <wierbows@us.ibm.com>
Subject: Re: NAT traversal and refreshes
From: Radia Perlman <Radia.Perlman@sun.com>
Date: Thu, 12 Feb 2004 14:36:05 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

I'd agree with you (that it shouldn't be rechecked on refresh of the SA).
If there was a worry that things might change, then it ought to be done
periodically, not just when an SA is being refreshed. And actually, I think
as long as both endpoints can do the NAT traversal stuff, then it works
fine even if the NAT goes away, and the design might be simpler to just
always work in NAT traversal mode. But at any rate, I don't think there's
any downside in, once noticing a NAT, continuing in NAT traversal mode.

Radia

----- Original Message -----
From: David Wierbowski <wierbows@us.ibm.com>
Date: Thursday, February 12, 2004 12:26 pm
Subject: NAT traversal and refreshes

> 
> 
> 
> 
> I have a question about the "Negotiation of NAT-Traversal in IKE" 
> draft.Should the NAT vendor ID, NAT-D payloads, and NAT-OA 
> payloads documented in
> draft-ietf-ipsec-nat-t-ike-07 be exchanged during refreshes of a 
> phase 1
> and phase 2 SAs or should they only be exchanged in the initial 
> negotiationof a phase 1/2 SA?  It seems as if once you've detected 
> a NAT in the
> initial negotiation there's not much value in checking if it is 
> still there
> on a refresh. Thanks in advance for your help.
> 
> Dave Wierbowski
> 
> z/OS Comm Server Development
> 
> 
>

Prev by Date: NAT traversal and refreshes
Next by Date: IANA assignment policies
Previous by thread: NAT traversal and refreshes
Next by thread: IANA assignment policies
Index(es):
- Date
- Thread