[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: INITIAL-CONTACT issues
I have some questions for the WG.
Has anyone had deployment experience with IKE?
Do actual customers like it running over UDP?
Is there any resistance with opening an IKE UDP
port in firewalls?
- Alex
At 08:59 AM 5/4/99 -0700, Scott G. Kelly wrote:
>Hi Sankar,
>
>I'm really swamped, so I don't have time to research all the reasons for
>the decision to use UDP instead of TCP. I joined the working group after
>that discussion occurred, but a little thought reveals a number of
>problems with your proposal.
>
>Sankar Ramamoorthi wrote:
>>
>> If the same TCP stream is used across rekeying,
>> then TCP connection overhead is not an issue - right?
>>
>
>1) In this case the overhead is reduced, but not eliminated entirely.
>
>2) This effectively removes identity PFS capability - a Very Bad Thing
>(tm).
>
>3) One of the design requirements for ISAKMP, and hence IKE, was
>transport protocol independence. Requiring the use of TCP in order to
>provide keepalive capability is contrary to this design requirement.
>
>4) A DoS attack is more easily mounted if the transport is TCP.
>
>I will add that the spec does not preclude the use of TCP, and you are
>welcome to implement ISAKMP over whatever transport you choose. However,
>the minimum interoperability requirement is for UDP port 500 support.
>
>Scott
>
--
Alex Alten
Alten@Home.Com
Alten@TriStrata.Com
P.O. Box 11406
Pleasanton, CA 94588 USA
(925) 417-0159
Follow-Ups:
References: