[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE transport (was INITIAL-CONTACT issues)

To: "Burden, James" <JBurden@caiso.com>
Subject: Re: IKE transport (was INITIAL-CONTACT issues)
From: "Scott G. Kelly" <sgkelly@ix.netcom.com>
Date: Sat, 08 May 1999 06:44:34 -0700
CC: "'Stephen Kent'" <kent@bbn.com>, Alex Alten <Alten@home.com>, ipsec@lists.tislabs.com
References: <59726335C162D111B2CF00805FA7205D02FE9B23@csifiapp621.wepex.net>
Sender: owner-ipsec@lists.tislabs.com

"Burden, James" wrote:
> 
> Greetings,
> 
> I have been lurking and learning on here for awhile.  This was written a
> couple of days ago, but I did not send it as I thought the UDP debate would
> have died as it did in the Intrusion Detection Work Group (IDWG).
> Personally, I am wary of allowing any UDP through a firewall.

Question: why would you be less wary of allowing tcp through?

 
> A couple of thoughts come to mind.  With UDP, the application (layer) must 
> keep session information (or not), do error checking, and ensure security.

Is this any different with TCP?

> In addition, UDP requires some mechanism to prevent IP spoofing.  This is
> all done at layer 7.  The application (and the implementation) must be
> trusted, and you could potentially lose your defense in depth with the
> firewall.

Again, why would tcp be different?

> I would agree that a DoS attack is easily mounted against TCP, but it would
> be easier to defend than UDP.

How so?

> The IETF's IDWG discussed using UDP for transport.  Below is a URL to the
> archives.
> Jim

<trimmed...>

additional comments follow in a new thread...

References:

RE: INITIAL-CONTACT issues

From: "Burden, James" <JBurden@caiso.com>

Prev by Date: Re: INITIAL-CONTACT issues
Next by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
Prev by thread: RE: INITIAL-CONTACT issues
Next by thread: RE: IKE transport (was INITIAL-CONTACT issues)
Index(es):
- Main
- Thread