[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE transport (was INITIAL-CONTACT issues)

To: Sankar Ramamoorthi <Sankar@vpnet.com>
Subject: Re: IKE transport (was INITIAL-CONTACT issues)
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 14 May 1999 18:57:27 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 14 May 1999 18:46:52 PDT." <D899E9E27BE9D211842200805FA67B43016E70@vpnet.com>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 14 May 1999 18:46:52 PDT you wrote
> My main desire for requesting the use of a reliable transport was to avoid
> the 
> problem of tuning retransmit timers.

Except using your suggestion you'd have to establish every peer-wise 
relationship using UDP with retransmit timers and then you'd get to do 
Quick Modes over TCP. Doesn't sound like much of a benefit.

> I was looking at it from the point of security gateways needing to support
> thousands of IKE sessions.

Supporting thousands of IKE sessions on a security gateway is not a problem.

  Dan.

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@Network-Alchemy.COM]
> Sent: Friday, May 14, 1999 5:16 PM
> To: Sankar Ramamoorthi
> Cc: 'Derrell D. Piper'; Dan McDonald; pkoning@xedia.com;
> ipsec@lists.tislabs.com
> Subject: Re: IKE transport (was INITIAL-CONTACT issues) 
> 
> 
>   Sounds like a pointless hack. You'd have to do an regular UDP-based
> IKE to generate IPSec SAs which would cover TCP traffic for IKE. And
> this buys you what? 
> 
>   It sounds like the only desire for using TCP is to give some "network
> security aware" IS guy a warm fuzzy. If this IS guy wants end-to-end
> security then he has to allow stuff through his firewall (and it's more
> than just UDP too). If he doesn't want end-to-end security then IKE's 
> transport mechanism isn't an issue. 
> 
>   UDP does _not_ changed the problem set. Introduction of TCP does because
> there's a new problem as Dan McDonald pointed out.
> 
>   Dan.
> 
> On Fri, 14 May 1999 16:05:01 PDT you wrote
> > How about using udp for the first IKE session between 2 endpoints and then
> > using a tcp-over-ipsec as the transport for the rest of the IKE sessions
> > that could happen between the end-points?
> > 
> > DOS as the sole reason for not using TCP seems to be a high price.
> > And udp has just changed the problem set.
> > 
> > -- sankar --
> > 
> > 
> > -----Original Message-----
> > From: Derrell D. Piper [mailto:ddp@network-alchemy.com]
> > Sent: Friday, May 14, 1999 2:59 PM
> > To: Dan McDonald
> > Cc: pkoning@xedia.com; ipsec@lists.tislabs.com
> > Subject: Re: IKE transport (was INITIAL-CONTACT issues) 
> > 
> > 
> > RE: TCP/UDP/DoS
> > 
> > Denial-of-service is such a slipery slope.  If you want to actively attack
> > IKE, just eat the last packet of Main Mode or Quick Mode...  Dan's right
> in
> > that using TCP only changes the problem set.  It doesn't solve anything
> > other
> > than by providing a fairly high-cost keepalive mechanism.
> > 
> > Derrell

References:

RE: IKE transport (was INITIAL-CONTACT issues)

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Prev by Date: RE: IKE transport (was INITIAL-CONTACT issues)
Next by Date: Re: IKE transport (was INITIAL-CONTACT issues)
Prev by thread: RE: IKE transport (was INITIAL-CONTACT issues)
Next by thread: Re: IKE transport (was INITIAL-CONTACT issues)
Index(es):
- Main
- Thread