[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE must have no Heirs

To: "Horn, Mike" <mhorn@virtela.net>
Subject: Re: IKE must have no Heirs
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 08 Aug 2001 15:00:47 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <CCFF88268143CC4181A758DCC0ECDC13DE7764@posthaus.virtela.cc>, "Horn,
 Mike" writes:
>Again speaking from service provider experience, manual keys are not a
>scalable option.  Some sort of key exchange protocol is definitely required,
>right now that means IKE.  As for using a single IP protocol number for both
>IKE and IPsec, I was merely stating this would reduce the number of
>ports/protocols I have to request firewall administrators to allow.  From an
>operational perspective, dealing with IPsec devices behind firewalls can be
>very painful. 

In fact, overloading protocol or port numbers is a major problem for 
firewalls -- you don't know exactly what you're letting through.


		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: Re: Simplifying IKE
Next by Date: Re: Simplifying IKE
Prev by thread: RE: IKE must have no Heirs
Next by thread: RE: IKE must have no Heirs
Index(es):
- Main
- Thread