Hi Paul, A system can detect NAT mapping removal from CHANGED source port from authenticated IKE PACKET. A system can detect NAT mapping removal from CHANGED source port of UDP encapsulated packet from authenticated IPsec PACKET. Also, system knows in process of NAT detection, where it is behind NAT or Pee is behind NAT or Both are behind NAT.
Thanks, Raj On Tue, Feb 2, 2010 at 9:14 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > Greetings again. ikev2bis 2.23 says: > > o There are cases where a NAT box decides to remove mappings that > are still alive (for example, the keepalive interval is too long, > or the NAT box is rebooted). To recover in these cases, hosts > that do not support other methods of recovery such as MOBIKE > [MOBIKE], and that are not behind a NAT, SHOULD send all packets > (including retransmission packets) to the IP address and port from > the last valid authenticated packet from the other end (that is, > they should dynamically update the address). A host behind a NAT > SHOULD NOT do this because it opens a possible denial of service > attack. . . . > > How does a system on either side of the NAT detect this mapping removal? > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
