[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE transport (was INITIAL-CONTACT issues)
"Burden, James" wrote:
>
> Greetings,
>
> I have been lurking and learning on here for awhile. This was written a
> couple of days ago, but I did not send it as I thought the UDP debate would
> have died as it did in the Intrusion Detection Work Group (IDWG).
> Personally, I am wary of allowing any UDP through a firewall.
Question: why would you be less wary of allowing tcp through?
> A couple of thoughts come to mind. With UDP, the application (layer) must
> keep session information (or not), do error checking, and ensure security.
Is this any different with TCP?
> In addition, UDP requires some mechanism to prevent IP spoofing. This is
> all done at layer 7. The application (and the implementation) must be
> trusted, and you could potentially lose your defense in depth with the
> firewall.
Again, why would tcp be different?
> I would agree that a DoS attack is easily mounted against TCP, but it would
> be easier to defend than UDP.
How so?
> The IETF's IDWG discussed using UDP for transport. Below is a URL to the
> archives.
> Jim
<trimmed...>
additional comments follow in a new thread...
References: