D102 Existing documents claim

From: Jari Arkko
Subject: [Mobike] design draft issue: existing documents claim
Date: Wed, 21 Dec 2005 12:50:02 +0200

|    IKEv2 assumes that an IKE SA is created implicitly between the IP
|    address pair that is used during the protocol execution when
|    establishing the IKEv2 SA.  This means that, in each host, only one
|    IP address pair is stored for the IKEv2 SA as part of a single IKEv2
|    protocol session, and, for tunnel mode SAs, the hosts places this
|    single pair in the outer IP headers.  Existing documents make no
|    provision to change this pair after an IKE SA is created.


But doesn't NAT-T allow a limited form of changes?

From: Tero Kivinen
Subject: [Mobike]  design draft issue: existing documents claim
Date: Tue, 3 Jan 2006 17:26:48 +0200

Jari Arkko writes:
| |    IKEv2 assumes that an IKE SA is created implicitly between the IP
| |    address pair that is used during the protocol execution when
| |    establishing the IKEv2 SA.  This means that, in each host, only one
| |    IP address pair is stored for the IKEv2 SA as part of a single IKEv2
| |    protocol session, and, for tunnel mode SAs, the hosts places this
| |    single pair in the outer IP headers.  Existing documents make no
| |    provision to change this pair after an IKE SA is created.
| But doesn't NAT-T allow a limited form of changes?

There is text in the RFC 4306 section 2.23 saying that implementation
SHOULD dynamically update the address of the host behind NAT if they
detect it is changed, but that is only limited for the NAT-T case and
only so that host not behind NAT does that for host behind NAT.

I added text saying "(except for dynamic address update of NAT-T)" to
the end.