[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE must have no Heirs
In message <CCFF88268143CC4181A758DCC0ECDC13DE7764@posthaus.virtela.cc>, "Horn,
Mike" writes:
>Again speaking from service provider experience, manual keys are not a
>scalable option. Some sort of key exchange protocol is definitely required,
>right now that means IKE. As for using a single IP protocol number for both
>IKE and IPsec, I was merely stating this would reduce the number of
>ports/protocols I have to request firewall administrators to allow. From an
>operational perspective, dealing with IPsec devices behind firewalls can be
>very painful.
In fact, overloading protocol or port numbers is a major problem for
firewalls -- you don't know exactly what you're letting through.
--Steve Bellovin, http://www.research.att.com/~smb