Greetings again. ikev2bis 2.23 says:
o There are cases where a NAT box decides to remove mappings that
are still alive (for example, the keepalive interval is too long,
or the NAT box is rebooted). To recover in these cases, hosts
that do not support other methods of recovery such as MOBIKE
[MOBIKE], and that are not behind a NAT, SHOULD send all packets
(including retransmission packets) to the IP address and port from
the last valid authenticated packet from the other end (that is,
they should dynamically update the address). A host behind a NAT
SHOULD NOT do this because it opens a possible denial of service
attack. . . .
How does a system on either side of the NAT detect this mapping removal?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
