Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01.txt

Yoav Nir <> Thu, 13 December 2012 17:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D353A21F8BBD for <>; Thu, 13 Dec 2012 09:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5cak1ZpkYc5X for <>; Thu, 13 Dec 2012 09:20:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A4C4521F8BC3 for <>; Thu, 13 Dec 2012 09:20:45 -0800 (PST)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id qBDHKgFk012633; Thu, 13 Dec 2012 19:20:42 +0200
X-CheckPoint: {50CA0DC6-2-1B221DC2-2FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Thu, 13 Dec 2012 19:20:43 +0200
From: Yoav Nir <>
To: Valery Smyslov <>
Thread-Topic: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01.txt
Thread-Index: AQHN0aZ0+Cpu7UGWpE+FbQ2/NGD005gTj3v/gANYDgA=
Date: Thu, 13 Dec 2012 17:20:42 +0000
Message-ID: <>
References: <> <E7FA5DBC7DB747779E6E6D73460A6615@buildpc>
In-Reply-To: <E7FA5DBC7DB747779E6E6D73460A6615@buildpc>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Dec 2012 17:20:47 -0000

Hi Valery

Thinking it over, I kind of regret adding the port field to the TCP_SUPPORTED notification. We don't have any mechanism for alternate UDP ports. Yes, UDP has cheap liveness checks to keep the mapping in the NAT so that requests can be initiated to the original initiator, while TCP does not. 

But your points are well taken. Leaving the advertised TCP port to configuration or auto-discovery is error prone and adds unnecessary complications to the protocol.  

I propose that:
 1. We remove the port from the Notify
 2. All connections will be done to port 500.
 3. We warn against trying to use TCP to a peer behind NAT

This loses the ability to use port forwarding to have a reachable TCP port (unless that port is 500), but I think the simplification justifies it.


On Dec 11, 2012, at 2:16 PM, Valery Smyslov <> wrote:

> Hi,
> I'm a bit uncomfortable with the requirement that IKE peer "MUST"
> advertise NAT device port if it is reachable and "MUST NOT"
> if it isn't. I think, that IKE Initiator in most cases cannot
> reliably determine whether it is reachable or not. For example,
> even if you manually configured port forwarding on your home
> network border NAT box and then configured IKE to advertise this
> port, that wouldn't imply that this port is actually reachable
> as your ISP may have another NAT and, as CGN become more
> common, number of those nested NAT's will increase.
> Even STUN might not be a good solution - it is pretty expensive in terms of round trips, requires the presence of STUN server in the same network segment as IKE Responder,  utilizes TLS and, most important, deals with UDP only (AFAIK).
> So, I think that the requirement for IKE Initiator to advertise
> its support for TCP and port it thinks it is reachable at
> should be listed as "SHOULD" or even "MAY". Otherwise
> it sounds like a paradox - protocol requires IKE to do
> or not to do some action depending on condition that IKE in most cases is unable to determine.
> Related issues.
> - in description to TCP Port field in IKE_TCP_SUPPORTED Notification    it is written that "If the sender is not subject to network address    translation, the port SHOULD be 500." Again, IKE Initiator
>   cannot reliably determine whether it is behind NAT or not.
>   It becomes clear only after initial request completes and
>   NAT_TRAVERSAL_*_IP are processed.
> - as it is quite possible that the port advertised by IKE Initiator
>   in IKE_TCP_SUPPORTED Notification is actually    not reachable, I think it is worth to mention, that if original
>   Responder after IKE SA is established wants to    make some request using TCP port advertised by
>   original Initiator and this port appears to be not reachable,
>   this Responder MUST NOT tear down IKE SA but MUST    instead fall back to UDP transport.
> Regards,
> Valery Smyslov.
> Email secured by Check Point