Hi team,
I request clarification here. Sec 2.23 "NAT traversal" on Page 58 of
draft-ietf-ipsecme-ikev2bis-03.txt says :
An initiator can float to port 4500, regardless whether or not there
is NAT, even at the beginning of IKE. When either side is using port
4500, sending with UDP encapsulation is not required, but
understanding received packets with UDP encapsulation is required.
UDP encapsulation MUST NOT be done on port 500. If NAT-T is
supported (that is, if NAT_DETECTION_*_IP payloads were exchanged
during IKE_SA_INIT), all devices MUST be able to receive and process
both UDP encapsulated and non-UDP encapsulated packets at any time.
Either side can decide whether or not to use UDP encapsulation
irrespective of the choice made by the other side. However, if a NAT
is detected, both devices MUST send UDP encapsulated packets.
Later on the same page as a NAT requirement says:
o IKE MUST listen on port 4500 as well as port 500. IKE MUST
respond to the IP address and port from which packets arrived.
With the above NAT-T and MOBIKE in the context, I've the following
questions:
1) Can an IKE peer that migrated to 4500 for some reason migrate back to
500 later? Is that allowed?
2) One use case I see is that an IKE initiator who supports MOBIKE does
IKE_SA_INIT
exchange on port 500. According to MOBIKE RFC, it sends message 3 on
port 4500. Let
us assume that the responder does not support MOBIKE.
Is the responder expected to respond on port 4500?
3) Continuing case 2) above, what is the port on which both the peers
are supposed to
communicate afterwards? Initiator learnt that resonder is not
supporting MOBIKE. Is it
expected to contiue on port 4500? That is, if one peer migrates to
4500, is it expected to
continue on that port and not migrate back?
Thanks,
Srinivas
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
