RFC 3947, "Negotiation of NAT-Traversal in the IKE", January 2005

Errata ID: 4936
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Nikolai Malykh
Date Reported: 2017-02-16
Rejected by: Paul Wouters
Date Rejected: 2022-04-10

Section 5.2 says:

   The NAT-OA payloads are sent inside the first and second packets of
   Quick Mode.  The initiator MUST send the payloads if it proposes any
   UDP-Encapsulated-Transport mode, and the responder MUST send the
   payload only if it selected UDP-Encapsulated-Transport mode.  It is
   possible that the initiator sends the NAT-OA payload but proposes
   both UDP-Encapsulated transport and tunnel mode.  Then the responder
   selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
   payload back.

It should say:

   The NAT-OA payloads are sent inside the first and second packets of
   Quick Mode.  The initiator MUST send the payloads if it proposes any
   UDP-Encapsulated mode, and the responder MUST send the
   payload only if it selected UDP-Encapsulated-Transport mode.  It is
   possible that the initiator sends the NAT-OA payload but proposes
   both UDP-Encapsulated transport and tunnel mode.  Then the responder
   selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
   payload back.

Notes:

--VERIFIER NOTES--
This is an incorrect errata to the RFC3947 (IKEv1 NAT-T negotiation).

It asks to change where initiator MUST send NAT-OA payloads if it proposes any UDP-Encapsulation mode, compared to the proposing EDP-Encapsulated-Transport mode. The original text is correct, we only need to send NAT-OA payloads if UDP-Encapsulated-Transport mode is proposed, it is not required if only UDP-Encapsulated-Tunnel mode is proposed.

Report New Errata