Further question -- is it ok for the IKE negotiation *not* to float and then for the ESP traffic to later arrive UDP-encapped on port 4500? It seems like it would be wise not to send UDP-encapped ESP unless you've already verified that the 4500-4500 port pairing works during an IKE exchange. But the text in section 2.31 doesn't seem to exclude that possibility.
Personally, I think we should: 1) Rephrase the "non-UDP encapsulated packets" wording as Dan requested. Possible starting point: "receive and process IPsec packets with or without UDP encapsulation at any time." 2) Disallow floating on IKE_SA_INIT unless you have prior knowledge the peer supports NAT traversal (i.e., an existing SA is being authenticated, which itself exchanged NAT_DETECTION_* payloads even if it may not have detected a NAT). 3) Disallow this elective use of UDP-encap unless you have already floated the IKE SA. Scott Moonen (smoo...@us.ibm.com) z/OS Communications Server TCP/IP Development http://www.linkedin.com/in/smoonen From: Scott C Moonen/Raleigh/IBM To: ipsec@ietf.org Date: 01/11/2010 01:10 PM Subject: ikev2bis clarification on port floating ikev2bis says: An initiator can float to port 4500, regardless whether or not there is NAT, even at the beginning of IKE. When either side is using port 4500, sending with UDP encapsulation is not required, but understanding received packets with UDP encapsulation is required. UDP encapsulation MUST NOT be done on port 500. If NAT-T is supported (that is, if NAT_DETECTION_*_IP payloads were exchanged during IKE_SA_INIT), all devices MUST be able to receive and process both UDP encapsulated and non-UDP encapsulated packets at any time. Either side can decide whether or not to use UDP encapsulation irrespective of the choice made by the other side. However, if a NAT is detected, both devices MUST send UDP encapsulated packets. Dan has suggested that we clarify the part about UDP encapsulation. However, I have an additional question about the port floating aspect. Do we intend to say that an initiator may float to 4500, period, or is it only allowed to do so if NAT_DETECTION_* payloads are exchanged? Can the initiator have any confidence that the responder is even listening on port 4500 unless the responder sends a NAT-detection payload? Also, we have not defined floating, so it is not clear what is really intended here. By "float" do we mean that the initiator may send the IKE_SA_INIT request to/from port 4500? Or are you only allowed to float on the IKE_AUTH request? Presumably there is at least some justification for floating the IKE_SA_INIT request if you have an existing SA that you are reauthenticating. But in the absence of a NAT_DETECTION_* payload or an existing SA, I'm not sure that floating should be allowed, since the MUST for listening on port 4500 appears only within the conditional context of NAT traversal support. Scott Moonen (smoo...@us.ibm.com) z/OS Communications Server TCP/IP Development http://www.linkedin.com/in/smoonen
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
