Hi,
I'm a bit uncomfortable with the requirement that IKE peer "MUST"
advertise NAT device port if it is reachable and "MUST NOT"
if it isn't. I think, that IKE Initiator in most cases cannot
reliably determine whether it is reachable or not. For example,
even if you manually configured port forwarding on your home
network border NAT box and then configured IKE to advertise this
port, that wouldn't imply that this port is actually reachable
as your ISP may have another NAT and, as CGN become more
common, number of those nested NAT's will increase.
Even STUN might not be a good solution - it is pretty
expensive in terms of round trips, requires the presence of STUN
server in the same network segment as IKE Responder,
utilizes TLS and, most important, deals with UDP only (AFAIK).
So, I think that the requirement for IKE Initiator to advertise
its support for TCP and port it thinks it is reachable at
should be listed as "SHOULD" or even "MAY". Otherwise
it sounds like a paradox - protocol requires IKE to do
or not to do some action depending on condition
that IKE in most cases is unable to determine.
Related issues.
- in description to TCP Port field in IKE_TCP_SUPPORTED Notification
it is written that "If the sender is not subject to network address
translation, the port SHOULD be 500." Again, IKE Initiator
cannot reliably determine whether it is behind NAT or not.
It becomes clear only after initial request completes and
NAT_TRAVERSAL_*_IP are processed.
- as it is quite possible that the port advertised by IKE Initiator
in IKE_TCP_SUPPORTED Notification is actually
not reachable, I think it is worth to mention, that if original
Responder after IKE SA is established wants to
make some request using TCP port advertised by
original Initiator and this port appears to be not reachable,
this Responder MUST NOT tear down IKE SA but MUST
instead fall back to UDP transport.
Regards,
Valery Smyslov.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
