[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INITIAL-CONTACT issues



Some of us are not terribly thrilled with the unreliable nature of UDP 
and the retry burden placed on IKE.  Van Jacobsen's law applies -- 
"People who don't use TCP are doomed to re-invent it."

Try running an IKE session between San Jose California and 
somewhere in the eastern Mediterranean and watch the pretty retry-
logic crashes.

Date sent:      	Fri, 07 May 1999 09:13:40 -0700
From:           	"Scott G. Kelly" <skelly@redcreek.com>
Organization:   	RedCreek Communications
To:             	Alex Alten <Alten@home.com>
Copies to:      	Sankar Ramamoorthi <Sankar@vpnet.com>, ipsec@lists.tislabs.com
Subject:        	Re: INITIAL-CONTACT issues

> <recipient list trimmed, as Steve Kent opted out several posts back...>
> 
> Alex Alten wrote:
> > 
> > I have some questions for the WG.
> > 
> > Has anyone had deployment experience with IKE?
> 
> Lots of us have.
> 
> > Do actual customers like it running over UDP?
> 
> Many don't know what UDP is, much less care. Also, in my experience most
> have no idea what protocol IKE runs over.
> 
> > Is there any resistance with opening an IKE UDP
> > port in firewalls?
> > 
> 
> Yes, some, and this applies to esp and ah as well as udp/ike. There are
> basically 3 cases for deployment: (1) the SAs run through the firewall to
> hosts inside, (2) the SAs terminate at the firewall, and (3) the ipsec
> device is in front of the firewall, so the firewall never sees ipsec
> traffic. The only time the hole is an issue is for case 1.
> 
> Scott
> 




Follow-Ups: References: