D117 Question about IP address changes

From: Yaron Sheffer
Subject: Re: [Mobike] WGLC on the design draft
Date: Wed, 28 Dec 2005 15:29:32 +0200

We have looked at the two drafts, and everything looks OK except that the
protocol assumes that the IPsec stack on the client knows when the
(externally visible) IP address has changed. This is obviously not the case
when the client is behind an edge router which has just restarted. When this
happens, NAT mappings are created arbitrarily, and the IPsec gateway will
receive ESP/UDP and IKE packets from a "new" source.

Please let me know if it's just something I am missing, or if indeed the
current protocol does not address this scenario.

From: Tero Kivinen
Subject: Re: [Mobike] D117 WGLC on the design draft
Date: Tue, 3 Jan 2006 20:51:54 +0200

Jari Arkko writes:
>We have looked at the two drafts, and everything looks OK except that the
>protocol assumes that the IPsec stack on the client knows when the
>(externally visible) IP address has changed.

It does assume that you notice your local IP address changing, i.e.
not the address of the NAT box that is between you and the other end.

If the client does not notice IP address changing, then the other end
will assume there is NAT box between, and depending whether NAT
preventation or NAT transition is enabled, the connection is either
disconnected, or NAT-T is enabled. 

> This is obviously not the case
>when the client is behind an edge router which has just restarted. When this
>happens, NAT mappings are created arbitrarily, and the IPsec gateway will
>receive ESP/UDP and IKE packets from a "new" source.

This is covered by NAT-T part of the MOBIKE protocol (unless you have
configured NAT prevention on, in which case no NATs are allowed).

>Please let me know if it's just something I am missing, or if indeed the
>current protocol does not address this scenario.

The scenario is supported.