RE: IKE transport (was INITIAL-CONTACT issues)

[Sankar Ramamoorthi <Sankar@vpnet.com>]

How about using udp for the first IKE session between 2 endpoints and then
using a tcp-over-ipsec as the transport for the rest of the IKE sessions
that could happen between the end-points?

DOS as the sole reason for not using TCP seems to be a high price.
And udp has just changed the problem set.

-- sankar --


-----Original Message-----
From: Derrell D. Piper [mailto:ddp@network-alchemy.com]
Sent: Friday, May 14, 1999 2:59 PM
To: Dan McDonald
Cc: pkoning@xedia.com; ipsec@lists.tislabs.com
Subject: Re: IKE transport (was INITIAL-CONTACT issues) 


RE: TCP/UDP/DoS

Denial-of-service is such a slipery slope.  If you want to actively attack
IKE, just eat the last packet of Main Mode or Quick Mode...  Dan's right in
that using TCP only changes the problem set.  It doesn't solve anything
other
than by providing a fairly high-cost keepalive mechanism.

Derrell

---

Follow-Ups:

• Re: IKE transport (was INITIAL-CONTACT issues)
• From: Dan Harkins <dharkins@network-alchemy.com>
• RE: IKE transport (was INITIAL-CONTACT issues)
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: IKE transport (was INITIAL-CONTACT issues)
• Next by Date: Re: IKE transport (was INITIAL-CONTACT issues)
• Prev by thread: Re: IKE transport (was INITIAL-CONTACT issues)
• Next by thread: Re: IKE transport (was INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread