ikev2bis says:
An initiator can float to port 4500, regardless whether or not there
is NAT, even at the beginning of IKE. When either side is using port
4500, sending with UDP encapsulation is not required, but
understanding received packets with UDP encapsulation is required.
UDP encapsulation MUST NOT be done on port 500. If NAT-T is
supported (that is, if NAT_DETECTION_*_IP payloads were exchanged
during IKE_SA_INIT), all devices MUST be able to receive and process
both UDP encapsulated and non-UDP encapsulated packets at any time.
Either side can decide whether or not to use UDP encapsulation
irrespective of the choice made by the other side. However, if a NAT
is detected, both devices MUST send UDP encapsulated packets.
Dan has suggested that we clarify the part about UDP encapsulation.
However, I have an additional question about the port floating aspect. Do
we intend to say that an initiator may float to 4500, period, or is it
only allowed to do so if NAT_DETECTION_* payloads are exchanged? Can the
initiator have any confidence that the responder is even listening on port
4500 unless the responder sends a NAT-detection payload? Also, we have
not defined floating, so it is not clear what is really intended here. By
"float" do we mean that the initiator may send the IKE_SA_INIT request
to/from port 4500? Or are you only allowed to float on the IKE_AUTH
request?
Presumably there is at least some justification for floating the
IKE_SA_INIT request if you have an existing SA that you are
reauthenticating. But in the absence of a NAT_DETECTION_* payload or an
existing SA, I'm not sure that floating should be allowed, since the MUST
for listening on port 4500 appears only within the conditional context of
NAT traversal support.
Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://www.linkedin.com/in/smoonen
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
