[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKE must have no Heirs

To: "'Derek Atkins'" <warlord@mit.edu>
Subject: RE: IKE must have no Heirs
From: "Horn, Mike" <mhorn@virtela.net>
Date: Tue, 7 Aug 2001 15:42:48 -0600
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Again speaking from service provider experience, manual keys are not a
scalable option.  Some sort of key exchange protocol is definitely required,
right now that means IKE.  As for using a single IP protocol number for both
IKE and IPsec, I was merely stating this would reduce the number of
ports/protocols I have to request firewall administrators to allow.  From an
operational perspective, dealing with IPsec devices behind firewalls can be
very painful.  I will let this thread die, since the IPSEC and IPSRA working
groups face much bigger challenges then determining if IKE and IPsec should
share a protocol number.

Mike Horn

 > -----Original Message-----
 > From: Derek Atkins [mailto:warlord@MIT.EDU]
 > Sent: Tuesday, August 07, 2001 3:30 PM
 > To: Horn, Mike
 > Cc: 'Alex Alten'; Chris Trobridge; ipsec@lists.tislabs.com
 > Subject: Re: IKE must have no Heirs
 > 
 > 
 > There is no IPsec (ESP/AH) dependency on IKE.  You can key manually
 > (which does not use IKE).  There is the KINK work, is different than
 > IKE.
 > 
 > There is no reason to turn IKE into it's own IP Protocol.  Using
 > UDP/500 works just fine, and making it's own protocol wont accomplish
 > anything.
 > 
 > -derek
 > 
 > "Horn, Mike" <mhorn@virtela.net> writes:
 > 
 > > Actually that is a poor example, there is no built-in 
 > protocol dependency
 > > for BGP to use OSPF.  And BGP does use TCP (port 179) for 
 > communication vs.
 > > OSPF using a protocol number (89).  IPsec currently has a 
 > strong dependency
 > > on IKE.  I do agree that from a network administration and debugging
 > > standpoint it would be nice if both IPsec and IKE shared a 
 > common protocol
 > > number.  This would help to simplify firewall configurations, etc.
 > > 
 > > Mike Horn 
 > > 
 > >  > -----Original Message-----
 > >  > From: Alex Alten [mailto:Alten@home.com]
 > >  > Sent: Tuesday, August 07, 2001 3:06 AM
 > >  > To: Chris Trobridge
 > >  > Cc: ipsec@lists.tislabs.com
 > >  > Subject: RE: IKE must have no Heirs
 > >  > 
 > >  > 
 > >  > Think about it.  Do you do OSPF over IP and then BGP over UDP?
 > >  > The same applies to IPSEC and key management.
 > >  > 
 > >  > - Alex
 > >  > 
 > >  > At 09:22 AM 8/7/2001 +0100, Chris Trobridge wrote:
 > >  > >
 > >  > >
 > >  > >> -----Original Message-----
 > >  > >> From: Alex Alten [mailto:Alten@home.com]
 > >  > >> Sent: 07 August 2001 08:28
 > >  > >> To: Kory Hamzeh; Hallam-Baker, Phillip
 > >  > >> Cc: 'mcnelson@mindspring.com'; ipsec@lists.tislabs.com
 > >  > >> Subject: Re: IKE must have no Heirs
 > >  > >> 
 > >  > >> 
 > >  > >> 
 > >  > >> I second the motion. And also propose no port number (i.e. 
 > >  > do the new
 > >  > >> one over raw IP).
 > >  > >> 
 > >  > >> - Alex
 > >  > >
 > >  > >What would that achieve? (communicating over raw IP)
 > >  > >
 > >  > >Chris
 > >  > >
 > >  > >
 > >  > >-------------------------------------------------------------
 > >  > --------------
 > >  > --------------------------------------
 > >  > >The information contained in this message is confidential 
 > >  > and is intended 
 > >  > >for the addressee(s) only.  If you have received this 
 > >  > message in error or 
 > >  > >there are any problems please notify the originator 
 > >  > immediately.  The 
 > >  > >unauthorized use, disclosure, copying or alteration of this 
 > >  > message is 
 > >  > >strictly forbidden. Baltimore Technologies plc will not 
 > be liable for
 > >  > direct, 
 > >  > >special, indirect or consequential damages arising from 
 > >  > alteration of the 
 > >  > >contents of this message by a third party or as a result of 
 > >  > any virus being 
 > >  > >passed on.
 > >  > >
 > >  > >In addition, certain Marketing collateral may be added from 
 > >  > time to time to 
 > >  > >promote Baltimore Technologies products, services, Global 
 > >  > e-Security or 
 > >  > >appearance at trade shows and conferences.
 > >  > > 
 > >  > >This footnote confirms that this email message has been 
 > swept by 
 > >  > >Baltimore MIMEsweeper for Content Security threats, including
 > >  > >computer viruses.
 > >  > >
 > >  > >
 > >  > --
 > >  > 
 > >  > Alex Alten
 > >  > 
 > >  > Alten@Home.Com
 > >  > 
 > >  > 
 > > 
 > 
 > -- 
 >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
 >        Member, MIT Student Information Processing Board  (SIPB)
 >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
 >        warlord@MIT.EDU                        PGP key available
 >

Follow-Ups:

Re: IKE must have no Heirs

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: Position statement on IKE development
Next by Date: RE: IKE must have no Heirs
Prev by thread: RE: IKE must have no Heirs
Next by thread: Re: IKE must have no Heirs
Index(es):
- Main
- Thread