Raj Singh writes: > One clear change is that updating the address, port info is changed from > authenticated packet > to integrity protected packet.
In this case that does not really matter. > Does this change is to allow recovery from NAT mapping removal > during establishment of IKEv2 SA e.g. with EAP authentication, > during retransmission of IKE_AUTH exchange ? If Yes, can we have a > explicit say for it? This is not necessarely needed, as the IKE_AUTH replies are IKE packets, which are always sent back with their addresses reversed, thus those replies will go back anyways, and there cannot be any other packets (IKE or ESP) before the IKE_AUTH finishes, and that last IKE_AUTH packet is already also authenticated (in addition to the integrity protected), thus the last IKE_AUTH packet will already cause the mappings to be updated. So either wording is fine. What is not fine is to do the changes if the packet is replayed. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
