Hi Yoav,
Hi Valery
Thinking it over, I kind of regret adding the port field to the
TCP_SUPPORTED notification.
We don't have any mechanism for alternate UDP ports. Yes, UDP has cheap
liveness checks
to keep the mapping in the NAT so that requests can be initiated to the
original initiator, while TCP does not.
But your points are well taken. Leaving the advertised TCP port to
configuration or auto-discovery is error
prone and adds unnecessary complications to the protocol.
I propose that:
1. We remove the port from the Notify
2. All connections will be done to port 500.
3. We warn against trying to use TCP to a peer behind NAT
Fully agree. And in this case please add the following to the list:
4. We remove TCP_SUPPORTED notification from Initiator's message
(as it becomes redundant for most use cases).
This loses the ability to use port forwarding to have a reachable TCP port
(unless that port is 500),
but I think the simplification justifies it.
Agree.
Valery.
Yoav
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
