[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] VID for nat traversal
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
>> It is my understanding that someone who implemented -03 can
>> interop with someone who has done -08.
Tero> Partly. They will interoperate if they use tunnel mode, if
Tero> they try to use transport mode the -08 implementation will
Tero> assume/send two NAT-OA payloads, and the -03 will only
Tero> assume/send one NAT-OA payload. This will most likely cause
Tero> them to fail to negotiate. Also in the -08 the NAT-OA payloads
Tero> are MANDATORY if using transport mode, as in the -03 it was
Tero> only SHOULD.
Hmm. Okay, so one needs a new VID for -08, but since:
Tero> use range, the -08 have invalid numbers from the IANA
Tero> allocated range.
I think it would be better not to have an official -08 VID at all!
In fact, I'd urge you to issue a -09 without the invalid numbers.
Tero> So if you need to ship your products now, and want to have RFC
Tero> compatibility, then implement the latest draft and make the
I'd say something different. Unless you need transport mode, implement
- -03 now, and RFC in a month or whatever. Maybe we can get the #s assigned
sooner.
Tero> when testing and when the final numbers will be out in month
Tero> or two, you can change them easily. The
Tero> UDP-encapsulated-transport and UDP-encapsulated-tunnel are
I don't like such things - products stay in the field for a lot longer
than anyone would like, and editing config parameters seems a PITA.
{Btw, I have come up with a way to do OE with NAT-T with tunnel
mode. I have yet to implement it yet. Look for a future document.
Transport mode might actually make it easier, but I'm kind of
skeptical about how well that really works. It seems that the IPsec has
to do per-peer NAT in order to avoid possible port-overlaps if one has
two clients connected from behind the same NAPT}
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJEH2oqHRg3pndX9AQGrZQP/bcYdGQ9YbHmrjQhnXaBt8ElaGujrzU0t
esP8dMYOeP0yNxAI8PGq0HVmr7+f6diEWEyqij2vXBpmWLaBxpQS4P30rMfHocEN
je7qBa8vyZQElr37O0gCOmQ+0j39CqEto4xHBOn1coygFlls0Q3+oSYTHvDBjy5Y
HNBoDRqR+j4=
=byWR
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec