Re: [Hipsec] I-D Action: draft-ietf-hip-native-nat-traversal-12.txt

Jeff Ahrenholz <> Thu, 30 June 2016 16:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 173FD12D1BE for <>; Thu, 30 Jun 2016 09:08:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v3lhBNeBWO5p for <>; Thu, 30 Jun 2016 09:08:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B11F712D1B9 for <>; Thu, 30 Jun 2016 09:08:12 -0700 (PDT)
Received: from ( by MBX081-W5-CO-2 ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 30 Jun 2016 09:08:11 -0700
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Thu, 30 Jun 2016 09:08:11 -0700
From: Jeff Ahrenholz <>
To: Miika Komu <>, "" <>
Thread-Topic: [Hipsec] I-D Action: draft-ietf-hip-native-nat-traversal-12.txt
Thread-Index: AQHRzVleTAP7xruKpU6gf7y7RtV0i5/3khUAgAAFU4CACpGgAIAAD3eA
Date: Thu, 30 Jun 2016 16:08:11 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Hipsec] I-D Action: draft-ietf-hip-native-nat-traversal-12.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jun 2016 16:08:14 -0000


> On 6/30/16, 1:12 AM, "Miika Komu" <> wrote:
> Is it actually a problem for the Responder that two different Initiators 
> happen to claim different SPIs? The Initiators have different IP 
> addresses (or at least UDP ports if they are behind the same NAT).

You’re right, it seems like it is not a problem for the Responder since there are different IP/ports.

> It is a problem for the data relay, so the text says:
> "Upon receiving an I2 with a colliding SPI, the Responder MUST not 
> include the relayed address in the R2 message because the data relay 
> would not be able demultiplex the related ESP packet to the correct 
> Initiator."

Does this mean the Responder should not even send the R2 message upon collision?

The draft also says this:

 “The described
   collision scenario can be avoided if the Responder delivers a new
   relayed address candidate upon SPI collisions.  Each relayed address
   has a separate UDP port reserved to it, so the relay can demultiplex
   properly conflicting SPIs of the Initiators based on the SPI and port
   number towards the correct Responder.”

What if the Responder sends the R2 message (established state)  and then immediately follows with an UPDATE packet to initiate a rekey?
The rekey would cause both sides to select new SPI values.

Not sure what happens if you send the R2 without the relayed address -- proper state not created on the Initiator?