Re: IKE v2 Requirements and backwards compatability

[Henry Spencer <henry@spsystems.net>]

On Tue, 18 Dec 2001, Paul Koning wrote:
> Assuming there are good reasons why an initiator would want to use
> IKEv2 if it is available, you need a good mechanism that allows you to...
> b. Discover that IKEv2 is not available, without undue delay, so you
> can fall back to IKEv1.
> Given that IKEv1 has a version number, and a correctly stated version
> check rule, the answer is easy:  use the same port, and a higher
> version number...

That's only the easy part of the answer, however.  Assuming competent
design, it is trivial for the responder to recognize (e.g. by the version
number) that the incoming packet is for a protocol it doesn't know. 

The hard part is: *how is this communicated back to the initiator*? 

Especially, how is this communicated back by an existing implementation?
There is a large bonus for having a "no IKE2 at the other end" recognition
algorithm which doesn't require explicit help from the other end, so it
can deal with old IKE1 implementations.

About the only way to do this is to use a different port, and to put at
least some level of trust in the ICMP Port Unreachable message.

                                                          Henry Spencer
                                                       henry@spsystems.net

---

References:

• Re: IKE v2 Requirements and backwards compatability
• From: Paul Koning <pkoning@equallogic.com>

---

• Prev by Date: Re: IKE v2 Requirements and backwards compatability
• Next by Date: Re: IKE v2 Requirements and backwards compatability
• Prev by thread: Re: IKE v2 Requirements and backwards compatability
• Next by thread: Re: IKE v2 Requirements and backwards compatability
• Index(es):
  • Main
  • Thread