[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE must have no Heirs
Note the 'ipsec' has TWO protocol numbers... One for ESP and one for
AH. What do _YOU_ mean?
-derek
"Horn, Mike" <mhorn@virtela.net> writes:
> Again speaking from service provider experience, manual keys are not a
> scalable option. Some sort of key exchange protocol is definitely required,
> right now that means IKE. As for using a single IP protocol number for both
> IKE and IPsec, I was merely stating this would reduce the number of
> ports/protocols I have to request firewall administrators to allow. From an
> operational perspective, dealing with IPsec devices behind firewalls can be
> very painful. I will let this thread die, since the IPSEC and IPSRA working
> groups face much bigger challenges then determining if IKE and IPsec should
> share a protocol number.
>
> Mike Horn
>
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Tuesday, August 07, 2001 3:30 PM
> > To: Horn, Mike
> > Cc: 'Alex Alten'; Chris Trobridge; ipsec@lists.tislabs.com
> > Subject: Re: IKE must have no Heirs
> >
> >
> > There is no IPsec (ESP/AH) dependency on IKE. You can key manually
> > (which does not use IKE). There is the KINK work, is different than
> > IKE.
> >
> > There is no reason to turn IKE into it's own IP Protocol. Using
> > UDP/500 works just fine, and making it's own protocol wont accomplish
> > anything.
> >
> > -derek
> >
> > "Horn, Mike" <mhorn@virtela.net> writes:
> >
> > > Actually that is a poor example, there is no built-in
> > protocol dependency
> > > for BGP to use OSPF. And BGP does use TCP (port 179) for
> > communication vs.
> > > OSPF using a protocol number (89). IPsec currently has a
> > strong dependency
> > > on IKE. I do agree that from a network administration and debugging
> > > standpoint it would be nice if both IPsec and IKE shared a
> > common protocol
> > > number. This would help to simplify firewall configurations, etc.
> > >
> > > Mike Horn
> > >
> > > > -----Original Message-----
> > > > From: Alex Alten [mailto:Alten@home.com]
> > > > Sent: Tuesday, August 07, 2001 3:06 AM
> > > > To: Chris Trobridge
> > > > Cc: ipsec@lists.tislabs.com
> > > > Subject: RE: IKE must have no Heirs
> > > >
> > > >
> > > > Think about it. Do you do OSPF over IP and then BGP over UDP?
> > > > The same applies to IPSEC and key management.
> > > >
> > > > - Alex
> > > >
> > > > At 09:22 AM 8/7/2001 +0100, Chris Trobridge wrote:
> > > > >
> > > > >
> > > > >> -----Original Message-----
> > > > >> From: Alex Alten [mailto:Alten@home.com]
> > > > >> Sent: 07 August 2001 08:28
> > > > >> To: Kory Hamzeh; Hallam-Baker, Phillip
> > > > >> Cc: 'mcnelson@mindspring.com'; ipsec@lists.tislabs.com
> > > > >> Subject: Re: IKE must have no Heirs
> > > > >>
> > > > >>
> > > > >>
> > > > >> I second the motion. And also propose no port number (i.e.
> > > > do the new
> > > > >> one over raw IP).
> > > > >>
> > > > >> - Alex
> > > > >
> > > > >What would that achieve? (communicating over raw IP)
> > > > >
> > > > >Chris
> > > > >
> > > > >
> > > > >-------------------------------------------------------------
> > > > --------------
> > > > --------------------------------------
> > > > >The information contained in this message is confidential
> > > > and is intended
> > > > >for the addressee(s) only. If you have received this
> > > > message in error or
> > > > >there are any problems please notify the originator
> > > > immediately. The
> > > > >unauthorized use, disclosure, copying or alteration of this
> > > > message is
> > > > >strictly forbidden. Baltimore Technologies plc will not
> > be liable for
> > > > direct,
> > > > >special, indirect or consequential damages arising from
> > > > alteration of the
> > > > >contents of this message by a third party or as a result of
> > > > any virus being
> > > > >passed on.
> > > > >
> > > > >In addition, certain Marketing collateral may be added from
> > > > time to time to
> > > > >promote Baltimore Technologies products, services, Global
> > > > e-Security or
> > > > >appearance at trade shows and conferences.
> > > > >
> > > > >This footnote confirms that this email message has been
> > swept by
> > > > >Baltimore MIMEsweeper for Content Security threats, including
> > > > >computer viruses.
> > > > >
> > > > >
> > > > --
> > > >
> > > > Alex Alten
> > > >
> > > > Alten@Home.Com
> > > >
> > > >
> > >
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> >
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: