2010/2/8 Tero Kivinen <kivi...@iki.fi> > Raj Singh writes: > > One clear change is that updating the address, port info is changed from > > authenticated packet > > to integrity protected packet. > > In this case that does not really matter. > > > Does this change is to allow recovery from NAT mapping removal > > during establishment of IKEv2 SA e.g. with EAP authentication, > > during retransmission of IKE_AUTH exchange ? If Yes, can we have a > > explicit say for it? > > This is not necessarely needed, as the IKE_AUTH replies are IKE > packets, which are always sent back with their addresses reversed, > thus those replies will go back anyways, and there cannot be any other > packets (IKE or ESP) before the IKE_AUTH finishes, and that last > IKE_AUTH packet is already also authenticated (in addition to the > integrity protected), thus the last IKE_AUTH packet will already cause > the mappings to be updated. > > So either wording is fine. What is not fine is to do the changes if > the packet is replayed. >
Suppose responder got IKE_AUTH request (NIP1, NP1), and now mapping got removed at NAT box. If responder will send packet to packet to last integrity protected packet i.e. IKE_AUTH request. It will send IKE_AUTH packet to (NIP1, NP1), but now NAT mappings are removed, so it will not reach to the initiator. If we are using EAP authentication then first IKE_AUTH will not contain AUTH payload, so its NOT authenticated packet. Its only integrity protected. Thats was the thought behind the question. -- > kivi...@iki.fi >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
