[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE must have no Heirs

To: "Horn, Mike" <mhorn@virtela.net>
Subject: Re: IKE must have no Heirs
From: Derek Atkins <warlord@mit.edu>
Date: 07 Aug 2001 18:30:53 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: "Horn, Mike"'s message of "Tue, 7 Aug 2001 15:42:48 -0600"
References: <CCFF88268143CC4181A758DCC0ECDC13DE7764@posthaus.virtela.cc>
Sender: owner-ipsec@lists.tislabs.com

Note the 'ipsec' has TWO protocol numbers... One for ESP and one for
AH.  What do _YOU_ mean?

-derek

"Horn, Mike" <mhorn@virtela.net> writes:

> Again speaking from service provider experience, manual keys are not a
> scalable option.  Some sort of key exchange protocol is definitely required,
> right now that means IKE.  As for using a single IP protocol number for both
> IKE and IPsec, I was merely stating this would reduce the number of
> ports/protocols I have to request firewall administrators to allow.  From an
> operational perspective, dealing with IPsec devices behind firewalls can be
> very painful.  I will let this thread die, since the IPSEC and IPSRA working
> groups face much bigger challenges then determining if IKE and IPsec should
> share a protocol number.
> 
> Mike Horn
> 
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Tuesday, August 07, 2001 3:30 PM
> > To: Horn, Mike
> > Cc: 'Alex Alten'; Chris Trobridge; ipsec@lists.tislabs.com
> > Subject: Re: IKE must have no Heirs
> > 
> > 
> > There is no IPsec (ESP/AH) dependency on IKE.  You can key manually
> > (which does not use IKE).  There is the KINK work, is different than
> > IKE.
> > 
> > There is no reason to turn IKE into it's own IP Protocol.  Using
> > UDP/500 works just fine, and making it's own protocol wont accomplish
> > anything.
> > 
> > -derek
> > 
> > "Horn, Mike" <mhorn@virtela.net> writes:
> > 
> > > Actually that is a poor example, there is no built-in 
> > protocol dependency
> > > for BGP to use OSPF.  And BGP does use TCP (port 179) for 
> > communication vs.
> > > OSPF using a protocol number (89).  IPsec currently has a 
> > strong dependency
> > > on IKE.  I do agree that from a network administration and debugging
> > > standpoint it would be nice if both IPsec and IKE shared a 
> > common protocol
> > > number.  This would help to simplify firewall configurations, etc.
> > > 
> > > Mike Horn 
> > > 
> > >  > -----Original Message-----
> > >  > From: Alex Alten [mailto:Alten@home.com]
> > >  > Sent: Tuesday, August 07, 2001 3:06 AM
> > >  > To: Chris Trobridge
> > >  > Cc: ipsec@lists.tislabs.com
> > >  > Subject: RE: IKE must have no Heirs
> > >  > 
> > >  > 
> > >  > Think about it.  Do you do OSPF over IP and then BGP over UDP?
> > >  > The same applies to IPSEC and key management.
> > >  > 
> > >  > - Alex
> > >  > 
> > >  > At 09:22 AM 8/7/2001 +0100, Chris Trobridge wrote:
> > >  > >
> > >  > >
> > >  > >> -----Original Message-----
> > >  > >> From: Alex Alten [mailto:Alten@home.com]
> > >  > >> Sent: 07 August 2001 08:28
> > >  > >> To: Kory Hamzeh; Hallam-Baker, Phillip
> > >  > >> Cc: 'mcnelson@mindspring.com'; ipsec@lists.tislabs.com
> > >  > >> Subject: Re: IKE must have no Heirs
> > >  > >> 
> > >  > >> 
> > >  > >> 
> > >  > >> I second the motion. And also propose no port number (i.e. 
> > >  > do the new
> > >  > >> one over raw IP).
> > >  > >> 
> > >  > >> - Alex
> > >  > >
> > >  > >What would that achieve? (communicating over raw IP)
> > >  > >
> > >  > >Chris
> > >  > >
> > >  > >
> > >  > >-------------------------------------------------------------
> > >  > --------------
> > >  > --------------------------------------
> > >  > >The information contained in this message is confidential 
> > >  > and is intended 
> > >  > >for the addressee(s) only.  If you have received this 
> > >  > message in error or 
> > >  > >there are any problems please notify the originator 
> > >  > immediately.  The 
> > >  > >unauthorized use, disclosure, copying or alteration of this 
> > >  > message is 
> > >  > >strictly forbidden. Baltimore Technologies plc will not 
> > be liable for
> > >  > direct, 
> > >  > >special, indirect or consequential damages arising from 
> > >  > alteration of the 
> > >  > >contents of this message by a third party or as a result of 
> > >  > any virus being 
> > >  > >passed on.
> > >  > >
> > >  > >In addition, certain Marketing collateral may be added from 
> > >  > time to time to 
> > >  > >promote Baltimore Technologies products, services, Global 
> > >  > e-Security or 
> > >  > >appearance at trade shows and conferences.
> > >  > > 
> > >  > >This footnote confirms that this email message has been 
> > swept by 
> > >  > >Baltimore MIMEsweeper for Content Security threats, including
> > >  > >computer viruses.
> > >  > >
> > >  > >
> > >  > --
> > >  > 
> > >  > Alex Alten
> > >  > 
> > >  > Alten@Home.Com
> > >  > 
> > >  > 
> > > 
> > 
> > -- 
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> > 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: IKE must have no Heirs

From: "Horn, Mike" <mhorn@virtela.net>

Prev by Date: RE: IKE must have no Heirs
Next by Date: RE: IKE must have no Heirs
Prev by thread: RE: IKE must have no Heirs
Next by thread: RE: IKE must have no Heirs
Index(es):
- Main
- Thread