Paul Hoffman writes: > Greetings again. ikev2bis 2.23 says: > > o There are cases where a NAT box decides to remove mappings that > are still alive (for example, the keepalive interval is too long, > or the NAT box is rebooted). To recover in these cases, hosts > that do not support other methods of recovery such as MOBIKE > [MOBIKE], and that are not behind a NAT, SHOULD send all packets > (including retransmission packets) to the IP address and port from > the last valid authenticated packet from the other end (that is, > they should dynamically update the address). A host behind a NAT > SHOULD NOT do this because it opens a possible denial of service > attack. . . . > > How does a system on either side of the NAT detect this mapping removal?
Raj already answered to this, but also note that this bullet does not require you to explictly detect NAT mapping removals, it gives rules how you fix situation when the NAT mappings have been removed and recreated, i.e. when you send packets back you use the IP addresses and ports from the last valid authenticated packet from the other end. That will automatically fix the situation. I.e. you can detect that NAT mapping has changed if those addresses or ports change, but if you just follow the rule listed in the bullet, you do not need to care about that, as it takes care of the situation. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
