[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation/rekeying problem with RSIP
Point (2):
- IMO, IKE should be allowed to choose an ephemeral port just like any other
application. Is there a reason why this isn't the case?
- We currently specify exactly that - looking at i-cookies to differentiate
clients.
-Mike
"Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> on 11/14/99 09:04:09 PM
Sent by: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
To: ipsec@lists.tislabs.com
cc: (Mike Borella/MW/US/3Com)
Subject: Re: IKE negotiation/rekeying problem with RSIP
>>>>> "Saint-Hilaire," == Saint-Hilaire, Ylian <ylian.saint-hilaire@intel.com>
writes:
Saint-Hilaire,> There is a possible problem IKE initiation/rekeying over
Saint-Hilaire,> RSIP. If two inner computers use an RSIP gateway to
Saint-Hilaire,> establish IPsec sessions to one destination, the
Saint-Hilaire,> destination computers will see 2 IKE phase1's from the
1) this in itself may be a problem for some gateways.
Saint-Hilaire,> gateway. If the destination computer ever needs to rekey
Saint-Hilaire,> a phase 2 or negotiate a new phase 2, he may select an
Saint-Hilaire,> incorrect phase 1 to negotiate with.
2) worse, they can't both get UDP port 500. There are choices to resolve
this:
a) permit initiators to use other than port 500, and have the
remote gateway respond to the correct port.
b) have the gateway demux based upon cookies instead of port numbers.
This makes the gateway aware of IKE, but it needs to know proto 50/51
anyway.
:!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
Michael Richardson | Cow#2: No. I'm a duck.
Home: <A HREF="
http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Follow-Ups: