Hi, coming back to the yesterday discussion. There seems to be another issue if implementation first sends request to update address over UDP and then switches to TCP. The problem arises if NO_NATS_ALLOWED is included - it contains IP addresses and ports for initiator and responder. If you leave it intact while switching to TCP, then it won't match real addresses and the responder will treat it as NAT presence. In this case RFC 4555 suggests to retry sending request several times with a new INFORMATIONAL request. Probably we could clarify in TCP guidelines draft that the content of NO_NATS_ALLOWED MUST be recalculated in this case? Or is it obvious?
Regards, Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
