[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation/rekeying problem with RSIP



Mike Borella writes:
> - IMO, IKE should be allowed to choose an ephemeral port just like any other
>      application.  Is there a reason why this isn't the case?

Mostly because the draft authors wanted to make things easy for the
implementators and testing. No need to ask from the other which port
they use because everybody must be able to support port 500.

RFC2408 does not limit that the port 500 must be the only one to be
support, it just says that at least that must be supported. I think
most of the implementations have support for answering to different
port than port 500 (i.e the initiator sends packet from port xxxx to
500, and responder is sending back packets to port xxxx instead of
500).

Quite a lot of implementations have support for specifying the server
port.

Here is a relevant part of the RFC2408:
----------------------------------------------------------------------
2.5.1 Transport Protocol

   ISAKMP can be implemented over any transport protocol or over IP
   itself.  Implementations MUST include send and receive capability for
   ISAKMP using the User Datagram Protocol (UDP) on port 500.  UDP Port
   500 has been assigned to ISAKMP by the Internet Assigned Numbers
   Authority (IANA). Implementations MAY additionally support ISAKMP
   over other transport protocols or over IP itself.
----------------------------------------------------------------------
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


References: