RFC Errata
Found 2 records.
Status: Verified (1)
RFC 3947, "Negotiation of NAT-Traversal in the IKE", January 2005
Source of RFC: ipsec (sec)
Errata ID: 4937
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Nikolai Malykh
Date Reported: 2017-02-16
Verifier Name: Paul Wouters
Date Verified: 2022-04-10
Section 6 says:
The source IP and port address of the INITIAL-CONTACT notification for the host behind NAT are not meaningful (as NAT can change them), so the IP and port numbers MUST NOT be used to determine which IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c). The ID payload sent from the other end SHOULD be used instead; i.e., when an INITIAL-CONTACT notification is received from the other end, the receiving end SHOULD remove all the SAs associated with the same ID payload.
It should say:
The source IP and port number of the INITIAL-CONTACT notification for the host behind NAT are not meaningful (as NAT can change them), so the IP and port numbers MUST NOT be used to determine which IKE/IPsec SAs to remove (see [RFC3715], section 2.1, case c). The ID payload sent from the other end SHOULD be used instead; i.e., when an INITIAL-CONTACT notification is received from the other end, the receiving end SHOULD remove all the SAs associated with the same ID payload.
Notes:
Port address should be replaced with port number.
Status: Rejected (1)
RFC 3947, "Negotiation of NAT-Traversal in the IKE", January 2005
Source of RFC: ipsec (sec)
Errata ID: 4936
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Nikolai Malykh
Date Reported: 2017-02-16
Rejected by: Paul Wouters
Date Rejected: 2022-04-10
Section 5.2 says:
The NAT-OA payloads are sent inside the first and second packets of Quick Mode. The initiator MUST send the payloads if it proposes any UDP-Encapsulated-Transport mode, and the responder MUST send the payload only if it selected UDP-Encapsulated-Transport mode. It is possible that the initiator sends the NAT-OA payload but proposes both UDP-Encapsulated transport and tunnel mode. Then the responder selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA payload back.
It should say:
The NAT-OA payloads are sent inside the first and second packets of Quick Mode. The initiator MUST send the payloads if it proposes any UDP-Encapsulated mode, and the responder MUST send the payload only if it selected UDP-Encapsulated-Transport mode. It is possible that the initiator sends the NAT-OA payload but proposes both UDP-Encapsulated transport and tunnel mode. Then the responder selects the UDP-Encapsulated tunnel mode and does not send the NAT-OA payload back.
Notes:
--VERIFIER NOTES--
This is an incorrect errata to the RFC3947 (IKEv1 NAT-T negotiation).
It asks to change where initiator MUST send NAT-OA payloads if it proposes any UDP-Encapsulation mode, compared to the proposing EDP-Encapsulated-Transport mode. The original text is correct, we only need to send NAT-OA payloads if UDP-Encapsulated-Transport mode is proposed, it is not required if only UDP-Encapsulated-Tunnel mode is proposed.