[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: INITIAL-CONTACT issues
Some of us are not terribly thrilled with the unreliable nature of UDP
and the retry burden placed on IKE. Van Jacobsen's law applies --
"People who don't use TCP are doomed to re-invent it."
Try running an IKE session between San Jose California and
somewhere in the eastern Mediterranean and watch the pretty retry-
logic crashes.
Date sent: Fri, 07 May 1999 09:13:40 -0700
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
To: Alex Alten <Alten@home.com>
Copies to: Sankar Ramamoorthi <Sankar@vpnet.com>, ipsec@lists.tislabs.com
Subject: Re: INITIAL-CONTACT issues
> <recipient list trimmed, as Steve Kent opted out several posts back...>
>
> Alex Alten wrote:
> >
> > I have some questions for the WG.
> >
> > Has anyone had deployment experience with IKE?
>
> Lots of us have.
>
> > Do actual customers like it running over UDP?
>
> Many don't know what UDP is, much less care. Also, in my experience most
> have no idea what protocol IKE runs over.
>
> > Is there any resistance with opening an IKE UDP
> > port in firewalls?
> >
>
> Yes, some, and this applies to esp and ah as well as udp/ike. There are
> basically 3 cases for deployment: (1) the SAs run through the firewall to
> hosts inside, (2) the SAs terminate at the firewall, and (3) the ipsec
> device is in front of the firewall, so the firewall never sees ipsec
> traffic. The only time the hole is an issue is for case 1.
>
> Scott
>
Follow-Ups:
References: