Re: Changing to port 4500

Eric Fung writes:
> > The RFC 4555 has a bit underspecified text saying we change if both
> > ends supports both, but actually we do not need to  know whether
> > remote end supports MOBIKE, knowing that it supports NAT-T is
> > enough. Anyways examples make it very clear that we change to port
> > 4500 for the IKE_AUTH.
> 
> If there is no NAT between the peers and we change to port 4500,
> should ESP packets be UDP encapsulated or not? I don't see any
> pertinent guidance in RFC 4306 and at least one implementation I'm
> testing against differs in its interpretation.

RFC4555 specifies that UDP Encapsulation (i.e NAT Traversal) can be
enabled and disabled at will, i.e. in normal case it should be enabled
if NAT is detected on the selected addresses. The 4555 does not forbid
enabling it even if no NAT is deteceted, as it might also be needed to
go through firewalls etc, but it does not give guidance whether it
should be enabled or not.

Anyways the sender can use UDP encapsulation or not, and the recipient
needs to be able to receive packets with UDP encapsulation and without
UDP encapsulation always (at least for the mobike if NAT-T is
supported).

The RFC 4306 says that you MUST enable UDP encapsulation if NAT is
detected, but it does not say anything whether you can enable it if no
NAT is detected. It is silent about this issue, but nothing there says
that it should process UDP encapsulated IPsec packets any differently
than non UDP encapsulated IPsec packets, so I would guess the correct
answer is that also RFC 4306 compliant implementations should accept