[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPsec and TCP

To: rodney@sabletech.com, Naganand Doraswamy <naganand@ftp.com>
Subject: RE: IPsec and TCP
From: Frank T Solensky <solensky@ftp.com>
Date: Mon, 23 Dec 1996 16:16:10 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>>Reply to your message of 12/21/96 10:54 AM
>In the case where you are the clear-text machine behind a firewall, and 
the
>firewall is waiting for keys, you will still have this problem.
>
>On the other hand, I think there is already a mechanism for this.  I think
>the ICMP SOURCE QUENCH message is exactly intended for the "please stop
>sending a moment, I am busy" case.
>
>So, since the problem you describe can happen in both cases (tcp and ipsec
>colocated, and tcp and ipsec in different nodes) I think it would be worth
>researching the meaning and implementation of Source Quench for this case.
>I believe Source Quench is in the Host Requirements RFC, and therefore it
>is reasonable to use this mechanism, assuming it's appropriate.
>
>OK, someone who has memorized all the ICMP RFC's and the Host Req RFC,
>please correct me ...

RFC-1122, page 40 ("I'll take Host Requirements for $400, Alex"..)
seems to suggest that this would be acceptable.  One possible issue,
however, might be how you'd determine that the Source Quench you're
receiving is the result of a rekeying event, in which case you'd want
to stop your timers, vs. a real congestion situation, in which case
you wouldn't.
							-- Frank

Follow-Ups:

Re: IPsec and TCP

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: API issues (was Re: IPsec and TCP )
Next by Date: Re: IPsec and TCP
Prev by thread: Re: IPsec and TCP
Next by thread: Re: IPsec and TCP
Index(es):
- Main
- Thread