Yaron Sheffer writes: > However, given that normal NAT detection happens during IKE_SA_INIT, can you > clarify why this would work better if we had a 2 RT protocol?
I think this should explain it: > > exchange too. Allowing IP-addresses change means that the network > > where the packets can come in, are different, meaning they might have > > misconfigured firewalls or similars there, and killing your resumption > > ticket by just trying to connect through broken firewall is bad idea. I.e if you are always assuming the network is same, you do not need to consider someone adding broken firewall in the middle. If on the other hand you just happen to try every WLAN your client sees on its way, there is most likely going to be few broken / misconfigured firewalls / NAT boxes etc on the way, and the 1 RT protocol will quite often use your ticket, without you ever noticing it, as reply packets will not reach you. I.e. it is not really change required by the protocol, but the operating environment changes to much more unreliable and untrusted, meaning the protocol should be more robust against attacks. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
