On Dec 13, 2012, at 9:20 AM, Yoav Nir <y...@checkpoint.com> wrote: > Hi Valery > > Thinking it over, I kind of regret adding the port field to the TCP_SUPPORTED > notification. We don't have any mechanism for alternate UDP ports. Yes, UDP > has cheap liveness checks to keep the mapping in the NAT so that requests can > be initiated to the original initiator, while TCP does not. > > But your points are well taken. Leaving the advertised TCP port to > configuration or auto-discovery is error prone and adds unnecessary > complications to the protocol. > > I propose that: > 1. We remove the port from the Notify > 2. All connections will be done to port 500. > 3. We warn against trying to use TCP to a peer behind NAT > > This loses the ability to use port forwarding to have a reachable TCP port > (unless that port is 500), but I think the simplification justifies it.
+1. It was getting too complex and iffy. --Paul Hoffman _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec