[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suggested clarification regarding port handling in ike
Hi Gabriel,
On Sat, 20 Nov 1999 10:54:45 PST you wrote
> dan and dave,
>
> judging from exchanges on the mailing list, it seems like it is
> worthwhile to document further details about common practices
> regarding port handling in ike.
>
> since the ike document is currently being revised:
>
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-01.txt
>
> may i suggest the following blurb (or something along its lines)
> be added perhaps as a further clarification in section 2.3?:
>
> IKE implementations MUST support UDP port 500 for both source
> and destination, but other port numbers are also allowed.
> If an implementation allows other-than-port-500 for IKE,
> it sets the value of the port numbers as reported in the
> ID payload to 0 (meaning "any port"), instead of 500. UDP port numbers
> (500 or not) are handled by the common "swap src/dst port and reply"
> method.
IKE uses ISAKMP as a transport and it seems to me that any verbage
needed to clarify the use of that transport should go in a son-of-ISAKMP
draft. In addition, the ID payloads are typically exchanged so late in
the exchange that this information would not be useful. A Main Mode
exchange will have 4 packets be exchanged before the Responder would
obtain the Initiator's ID payload informing him that the Initiator
allows for an other-than-port-500 port.
Dan.
References: