Herbert:
Recently the statement "Implementations MUST process received UDP-encapsulated ESP packets even when no NAT was detected." was added to the draft. This has the potential to create black holes if deployed in the field, unless all implementations always use UDP encapsulation regardless of NAT. The problem is that if a peer behind a firewall (with no NAT) that only allows inbound packets which are in response to outbound packets performs UDP encapsulation without NAT, and the remote peer responds without UDP encapsulation, then all data packets from the remote peer will be dropped. Looking at this from the point of view of the remote peer, the only practical solution would be to always employ UDP encapsulation, regardless of NAT detection. Now through discussion on the mailing list it appears that this statement was motivated by a need in MOBIKE to deploy UDP encapsulation when NAT is not detected. So assuming that we want to cater for this in IPsec, we should extend IKE to explicitly negotiate UDP encapsulation, rather than having it rely on the result of NAT detection. Not discussed in SF. Yaron: this looks like an important issue!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec