[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT traversal and refreshes



David Wierbowski writes:
> I have a question about the "Negotiation of NAT-Traversal in IKE" draft.
> Should the NAT vendor ID, NAT-D payloads, and NAT-OA payloads documented in
> draft-ietf-ipsec-nat-t-ike-07 be exchanged during refreshes of a phase 1
> and phase 2 SAs or should they only be exchanged in the initial negotiation
> of a phase 1/2 SA?  It seems as if once you've detected a NAT in the
> initial negotiation there's not much value in checking if it is still there
> on a refresh. Thanks in advance for your help.

If we send them during the rekeys, we will also detect if someone adds
a NAT box between or changes the configuration of the NAT box. It also
propably makes it easier for the IKEv1, i.e where the IKE SA rekey is
not really a rekey, but creation of new SA and removal of old one. I.e
it is better to include the payloads also in the rekeys just in case
(== makes the implementations also simplier as they will simply
process the rekeys identically than the original initial connect). 
-- 
kivinen@safenet-inc.com