[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] VID for nat traversal

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
    >> It is my understanding that someone who implemented -03 can
    >> interop with someone who has done -08.

    Tero> Partly. They will interoperate if they use tunnel mode, if
    Tero> they try to use transport mode the -08 implementation will
    Tero> assume/send two NAT-OA payloads, and the -03 will only
    Tero> assume/send one NAT-OA payload. This will most likely cause
    Tero> them to fail to negotiate. Also in the -08 the NAT-OA payloads
    Tero> are MANDATORY if using transport mode, as in the -03 it was
    Tero> only SHOULD.

  Hmm. Okay, so one needs a new VID for -08, but since:

    Tero> use range, the -08 have invalid numbers from the IANA
    Tero> allocated range.

  I think it would be better not to have an official -08 VID at all!
  In fact, I'd urge you to issue a -09 without the invalid numbers.

    Tero> So if you need to ship your products now, and want to have RFC
    Tero> compatibility, then implement the latest draft and make the

  I'd say something different. Unless you need transport mode, implement
- -03 now, and RFC in a month or whatever. Maybe we can get the #s assigned
sooner.

    Tero> when testing and when the final numbers will be out in month
    Tero> or two, you can change them easily. The
    Tero> UDP-encapsulated-transport and UDP-encapsulated-tunnel are

  I don't like such things - products stay in the field for a lot longer
than anyone would like, and editing config parameters seems a PITA.

  {Btw, I have come up with a way to do OE with NAT-T with tunnel
mode. I have yet to implement it yet. Look for a future document. 
  Transport mode might actually make it easier, but I'm kind of
skeptical about how well that really works. It seems that the IPsec has
to do per-peer NAT in order to avoid possible port-overlaps if one has
two clients connected from behind the same NAPT}

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQJEH2oqHRg3pndX9AQGrZQP/bcYdGQ9YbHmrjQhnXaBt8ElaGujrzU0t
esP8dMYOeP0yNxAI8PGq0HVmr7+f6diEWEyqij2vXBpmWLaBxpQS4P30rMfHocEN
je7qBa8vyZQElr37O0gCOmQ+0j39CqEto4xHBOn1coygFlls0Q3+oSYTHvDBjy5Y
HNBoDRqR+j4=
=byWR
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec