[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INITIAL-CONTACT issues



Hi Sankar,

I'm really swamped, so I don't have time to research all the reasons for
the decision to use UDP instead of TCP. I joined the working group after
that discussion occurred, but a little thought reveals a number of
problems with your proposal.

Sankar Ramamoorthi wrote:
> 
> If the same TCP stream is used across rekeying,
> then TCP connection overhead is not an issue - right?
> 

1) In this case the overhead is reduced, but not eliminated entirely.

2) This effectively removes identity PFS capability - a Very Bad Thing
(tm).

3) One of the design requirements for ISAKMP, and hence IKE, was
transport protocol independence. Requiring the use of TCP in order to
provide keepalive capability is contrary to this design requirement.

4) A DoS attack is more easily mounted if the transport is TCP.

I will add that the spec does not preclude the use of TCP, and you are
welcome to implement ISAKMP over whatever transport you choose. However,
the minimum interoperability requirement is for UDP port 500 support.

Scott


Follow-Ups: References: