Hi Tero, Many thanks for answering all the questions.
Regards, Srinivas -----Original Message----- From: Tero Kivinen [mailto:kivi...@iki.fi] Sent: Wednesday, June 17, 2009 5:48 PM To: Srinivasu S R S Dhulipala (srinid) Cc: ipsec@ietf.org Subject: [IPsec] About port floating b/w 4500 and 500 Srinivasu S R S Dhulipala (srinid) writes: > With the above NAT-T and MOBIKE in the context, I've the following > questions: > > 1) Can an IKE peer that migrated to 4500 for some reason migrate back to > 500 later? Is that allowed? If using MOBIKE it is very clear it cannot migrate back, as MOBIKE requires that you always use port 4500 if NAT-T is supported at all. If you do not use MOBIKE then there is no explicit text forbidding that, but I myself at least have interpreted "can float to port 4500" as something that can only happen to one direction, i.e. after you float to 4500, you stay there, there is no way getting back to port 500 with the same IKE SA. If you start new IKE SA then that exchange can start from port 500 (or 4500) and it can float to 4500 or stay at 500 (if started in port 500). > 2) One use case I see is that an IKE initiator who supports MOBIKE > does IKE_SA_INIT > exchange on port 500. According to MOBIKE RFC, it sends message 3 > on port 4500. Let > us assume that the responder does not support MOBIKE. If the responder includes NAT_DETECTION_*_IP payloads in its reply, that means it will support NAT-T, thus initiator is allowed to float to port 4500 (with new IKEv2bis text). Then when during the IKE_AUTH the initiator detects that responder does not support MOBIKE, that does not change anything, the IKE SA has already floated to port 4500, and it will stay there. > Is the responder expected to respond on port 4500? Yes. The RFC has text saying that you always reply back with the port numbers reversed, and as incoming request had port numbers 4500 in it, responder MUST reply from port 4500: ---------------------------------------------------------------------- 2.11. Address and Port Agility ... An implementation MUST accept incoming requests even if the source port is not 500 or 4500, and MUST respond to the address and port from which the request was received. It MUST specify the address and port at which the request was received as the source address and port in the response. ---------------------------------------------------------------------- > 3) Continuing case 2) above, what is the port on which both the peers > are supposed to > communicate afterwards? Port 4500. > Initiator learnt that resonder is not supporting MOBIKE. Is it > expected to contiue on port 4500? Yes. > That is, if one peer migrates to 4500, is it expected to continue on > that port and not migrate back? Yes. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
