NAT Traversal in IKEv2

[Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>]

[[ Please note that I changed the subject line. Everyone: if you want 
to comment on what was said at the meeting, please make a better 
subject line for your thread! ]]

At 12:46 PM +0200 11/26/02, Ari Huttunen wrote:
> Paul Hoffman / VPNC wrote:
> > IKEv2 status discussion - Charlie Kaufman
> >     New draft in October
> >     Changed many things that became controversial:
> >         Suites replaced ala carte
> >         Went to always 4 messages
> >         Simplified traffic selector (no one has complained)
> >     Other controversies
> >         NAT traversal
> >         Tunnel vs. transport negotiation
> >         Key sizes and algorithms
> >         Legacy auth not covered
> >         Revised identity proposal
> >     NAT Traversal
> >         Not in IKEv1, but now there is a draft
> >         Should the new extensions be included in IKEv2?
> >     Tunnel vs. transport
> >         No negotiation in IKEv2
> >         Charlie needs to understand why this is needed
> >         If inner and outer IP addresses are the same,
> >             MAY use transport
>
> IMHO, NAT traversal is currently unnecessarily complicated.
> If we can imagine tweaking some things that we could not tweak
> when specifying it for IKEv1, we could make it simpler.
> I would myself throw out transport mode, and specify only
> tunnel mode for NAT traversal. I would also make IKEv2 always
> floated, so we can get rid of the ugly part of changing
> a protocol from one port to another.

Just to be clear, are you saying that the port for IKEv2 should 
always be floated even if NAT-traversal is not negotiated?

--Paul Hoffman, Director
--VPN Consortium