[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE transport (was INITIAL-CONTACT issues)
Sounds like a pointless hack. You'd have to do an regular UDP-based
IKE to generate IPSec SAs which would cover TCP traffic for IKE. And
this buys you what?
It sounds like the only desire for using TCP is to give some "network
security aware" IS guy a warm fuzzy. If this IS guy wants end-to-end
security then he has to allow stuff through his firewall (and it's more
than just UDP too). If he doesn't want end-to-end security then IKE's
transport mechanism isn't an issue.
UDP does _not_ changed the problem set. Introduction of TCP does because
there's a new problem as Dan McDonald pointed out.
Dan.
On Fri, 14 May 1999 16:05:01 PDT you wrote
> How about using udp for the first IKE session between 2 endpoints and then
> using a tcp-over-ipsec as the transport for the rest of the IKE sessions
> that could happen between the end-points?
>
> DOS as the sole reason for not using TCP seems to be a high price.
> And udp has just changed the problem set.
>
> -- sankar --
>
>
> -----Original Message-----
> From: Derrell D. Piper [mailto:ddp@network-alchemy.com]
> Sent: Friday, May 14, 1999 2:59 PM
> To: Dan McDonald
> Cc: pkoning@xedia.com; ipsec@lists.tislabs.com
> Subject: Re: IKE transport (was INITIAL-CONTACT issues)
>
>
> RE: TCP/UDP/DoS
>
> Denial-of-service is such a slipery slope. If you want to actively attack
> IKE, just eat the last packet of Main Mode or Quick Mode... Dan's right in
> that using TCP only changes the problem set. It doesn't solve anything
> other
> than by providing a fairly high-cost keepalive mechanism.
>
> Derrell
References: