RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Reported (2)

RFC 3947, "Negotiation of NAT-Traversal in the IKE", January 2005

Source of RFC: ipsec (sec)

Errata ID: 4936

Status: Reported
Type: Technical

Reported By: Nikolai Malykh
Date Reported: 2017-02-16

Section 5.2 says:

   The NAT-OA payloads are sent inside the first and second packets of
   Quick Mode.  The initiator MUST send the payloads if it proposes any
   UDP-Encapsulated-Transport mode, and the responder MUST send the
   payload only if it selected UDP-Encapsulated-Transport mode.  It is
   possible that the initiator sends the NAT-OA payload but proposes
   both UDP-Encapsulated transport and tunnel mode.  Then the responder
   selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
   payload back.

It should say:

   The NAT-OA payloads are sent inside the first and second packets of
   Quick Mode.  The initiator MUST send the payloads if it proposes any
   UDP-Encapsulated mode, and the responder MUST send the
   payload only if it selected UDP-Encapsulated-Transport mode.  It is
   possible that the initiator sends the NAT-OA payload but proposes
   both UDP-Encapsulated transport and tunnel mode.  Then the responder
   selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA
   payload back.

Errata ID: 4937

Status: Reported
Type: Technical

Reported By: Nikolai Malykh
Date Reported: 2017-02-16

Section 6 says:

   The source IP and port address of the INITIAL-CONTACT notification
   for the host behind NAT are not meaningful (as NAT can change them),
   so the IP and port numbers MUST NOT be used to determine which
   IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c).  The ID
   payload sent from the other end SHOULD be used instead; i.e., when an
   INITIAL-CONTACT notification is received from the other end, the
   receiving end SHOULD remove all the SAs associated with the same ID
   payload.

It should say:

   The source IP and port number of the INITIAL-CONTACT notification
   for the host behind NAT are not meaningful (as NAT can change them),
   so the IP and port numbers MUST NOT be used to determine which
   IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c).  The ID
   payload sent from the other end SHOULD be used instead; i.e., when an
   INITIAL-CONTACT notification is received from the other end, the
   receiving end SHOULD remove all the SAs associated with the same ID
   payload.

Notes:

Port address should be replaced with port number.

Report New Errata



Search RFCs
Advanced Search
×