[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie=0




>>>>> "Stephane" == Stephane Beaulieu <stephane@cisco.com> writes:
    Derek> For NAT traversal, I think it is eminently ideal for the keying
    Derek> and data streams to share a port..  Otherwise you need twice as
    Derek> many keepalives to keep the NAT mapping happy.
    >> 
    >> Why do we have to keep the NAT mapping for the IKE stream port alive?
    >> 
    >> It isn't like the "gateway" is going to be able to initiate to the
    Stephane> client
    >> unless the client cooperates.

    Stephane> The gateway might need to initiate a rekey, or even send some sort of
    Stephane> keepalive / DPD packet (even though none have been standardized at the
    Stephane> moment), or for that fact some sort of Informational message
    Stephane> (INVALID SPI?)

  The only valid reason is the rekey.

  The keepalive will obviously, keep the port alive.
  I just do not see the problem.

  Running IPsec packets over the same port is just *UGLY*.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


References: