Re: IKE transport (was INITIAL-CONTACT issues)

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Jim,

Thanks for your detailed reply, and sorry I did not get back to you
sooner. After reading and re-reading your reply, it seems to me that
there were implicit assumptions behind my questions which should perhaps
be made explicit to clear this up. 

This discussion began with a suggestion that ISAKMP/IKE should be run
over tcp instead of udp, and that this requirement be listed as "SHOULD"
in the RFC. I followed up that post with some speculation as to why UDP
might have been chosen instead of TCP to begin with, and cited
additional overhead as one possible concern. I guess I don't really need
to go back through the thread in its entirety here, but I also suggested
that one of the original design requirements was transport independence,
and also that a DoS attack might be easier to mount if the transport was
TCP, meaning that there would be more (useless) work per packet for TCP. 

I have the feeling from your reply that you are discussing the more
general case of allowing TCP vs UDP through a firewall for any
application. I view ISAKMP/IKE as a different and special case, since
ISAKMP/IKE provides for endpoint authentication as part of the protocol.
In my view, the issue prompting this discussion is that the current
ISAKMP/IKE specification seems to not provide enough in the way of
connection-oriented service, and the question we have to answer is this:
should we chuck the transport independence requirement and consider TCP,
or should we instead add necessary and sufficient functionality to IKE?

Scott

---

References:

• RE: IKE transport (was INITIAL-CONTACT issues)
• From: "Burden, James" <JBurden@caiso.com>

---

• Prev by Date: Re: Questions on IV for ESP payload
• Next by Date: Re: Implementing a VPN with IPsec
• Prev by thread: RE: IKE transport (was INITIAL-CONTACT issues)
• Next by thread: RE: IKE transport (was INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread