[Mobike] issue 3: nat traversal
James Kempf
kempf at docomolabs-usa.com
Tue Jan 4 12:42:28 EST 2005
Francis,
> => simple: I propose a configuration "NAT forbidden" bit:
> - if it is on NAT prevention is used and on the detection of a NAT
> IKE/MOBIKE is aborted with an error status.
> - if it is off NAT detection is used and on the detection of a NAT
> the NAT traversal feature of IKE is activated. If a NAT is suspected
> during an active IKE/MOBIKE session (cf previous discussion) then the
> session is aborted and IKE is restarted with NAT detection... Note it
is
> possible to enforce the detection of a NAT at the price of a bidding
> down attack issue, and the IPsec WG decided to not support NAT
traversal
> detection/activation in the middle of IKE sessions.
>
This sounds pretty reasonable to me. I think it should handle the case of
movement from outside a NAT to inside. Though it would require IPsec to be
rerun, I think this is a feature, since, as you mention, it avoids bidding
down.
What about moving from inside to outside?
jak
More information about the Mobike
mailing list