Scott C Moonen writes:
> Further question -- is it ok for the IKE negotiation *not* to float and
> then for the ESP traffic to later arrive UDP-encapped on port 4500?
Yes, provided the NAT_DETECTION_* payloads were exchanged, (i.e. the
implementation knows other end supports NAT-T).
> It seems l
Hi,
Thanks to the IESG feedback, we have had a long and enlightening discussion on
the list. But we have not reached consensus on either of the two questions. As
a result, Paul and I are proposing the following resolution, which appears to
be acceptable both to the draft's editors and to the IE
Tero,
> > 2) Disallow floating on IKE_SA_INIT unless . . .
> Why do you want to disallow that? . . .
>
> > 3) Disallow this elective use of UDP-encap unless . . .
> Again why do that?
I guess I'm thinking more about what is advisable (without out-of-band
knowledge or inference) than what is per
Looks Good.
Sriram
On Tue, Jan 12, 2010 at 5:07 PM, Yaron Sheffer wrote:
> Hi,
>
> Thanks to the IESG feedback, we have had a long and enlightening discussion
> on the list. But we have not reached consensus on either of the two
> questions. As a result, Paul and I are proposing the following
Hi Scott
When writing remote access VPN clients (running on phones, PCs, tablets,
probably not z/OS) it's usually safe to assume that the peer (a gateway)
supports NAT-T. This is because on the real Internet, a RAS that does not
support NAT-T simply doesn't work. NATs are everywhere.
So it's p
Yoav, thanks. I withdraw my suggestions #2 and #3 altogether, and
(barring objections) we can just stick with the suggested rewording of
"both UDP encapsulated and non-UDP encapsulated packets" to "IPsec packets
with or without UDP encapsulation".
Scott Moonen (smoo...@us.ibm.com)
z/OS Commun
The draft says:
After this address substitution, both the traffic selectors and the
IKE UDP source/destination addresses look the same, and the server
does SPD lookup based on those new traffic selectors. If an entry is
found and it allows transport mode, then that entry is used. If
The "MUST return TEMPORARY_FAILURE" wording was not in the text
proposed by the issue #22 design team. The original wording was
"will return TEMPORARY_FAILURE". Had the team carefully
considered a SHOULD versus MUST in this case I suspect we would
have picked "SHOULD". Anyway, my vote is for "S
