[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we actually need dynamic ports?

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Do we actually need dynamic ports?
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Tue, 26 Mar 2002 17:05:24 -0800 (PST)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <p0510140fb8c6c2508826@[165.227.249.20]>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 26 Mar 2002, Paul Hoffman / VPNC wrote:

> At 10:47 AM -0800 3/26/02, Jan Vilhuber wrote:
> >On Tue, 26 Mar 2002, sankar ramamoorthi wrote:
> >  > Are dynamic protocols a requirement for ikev2?
> >>  There have no comments to that regard.
> >>
> >
> >That's true. I think they are/should be. I'll ask Cheryl to add this
> >to the requirements document.
>
> Why is this a requirement? Has the lack of dynamic ports
> significantly hurt IKEv1? If so, what other protocol did the folks
> who required dynamic ports use?
>

There is no other protocol they COULD use. The workaround, as Scott
Kelly posted, is to open up ALL TCP ports (in the case of FTP) and do
stateful filtering on both ends, which is not interoperable. If you
don't do stateful inspection, you simply keep all ports open and pass
more traffic than you were hoping for, which is also suboptimal.

In L2tp's case, the port-moving and ip-address moving feature that
prompted this discussion (internally here at cisco) hasn't been really
rolled out yet. Once they do, I expect this issue will be raised
again.

For SCTP, I refer you to angelos' draft on ike and sctp...

> This sounds a lot like a rat-hole that will have next to no chance of
> interoperating and will not help many users.
>

I think it WILL help many users. The ability to do dynamic port
additions (or even dynamic address additions) will make configurations
simpler (try 'ftp' instead of 'port 21 and whatever else ftp
negotiates'), and will not impact interoperability. I think it's
fairly well defined in both angelos' draft for sctp and Pyda
Srisuresh's draft (of which I'm coauthor). This is not brain-surgery.

Given that ip telephony is being used more and more, and given that
h.323 is the mechanism (or one of them?) I'd say this is important.

Whether it needs to happen in IKE, or, as Hillarie suggested, as part
of some as yet unspecified protocol in IPSP is up for discussion, but
the problem must be addressed.

Problem with doing it via IPSP is that (as someone else pointed out)
said IPSP protocol would need to be done before SOI can become an
RFC. I'd prefer not to make such a linking, since I don't think this
is overly complex... Opinions vary (obviously.. this is ipsec afterall).

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

Follow-Ups:
- Re: Do we actually need dynamic ports?
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Do we actually need dynamic ports?
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by Date: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Prev by thread: Do we actually need dynamic ports?
Next by thread: Re: Do we actually need dynamic ports?
Index(es):
- Date
- Thread