Re: Do we actually need dynamic ports?

["Rajesh Mohan" <rajesh.mohan@nexsi.com>]

> But, the question is: how is this widening going to happen? If it is
> some message which IKE receives from the other side "add this port to
> this SA", then we effectively have "all ports open".
>

In some environments, it may be ok to agree to open all ports. In these
environments, you trust the other end and you are using the tunnel only to
protect the traffic from public network. In these environments, the fact
that a packet made through a tunnel is good enough.

Ofcourse there are cases where you cannot trust the other end to use the
tunnel for what it is meant. So, in these cases the selectors should not be
dynamic.

Maybe what we need is a flag in the selectors to say if it is dynamic. The
negotiation succeeds only if both ends specify that the selectors are
dynamic.

If the two ends agree to use dynamic selectors, then we do not need any
control messages to tell the other end to open new ports. When a
authenticated packet is received, it means the other end wants the selectors
widened.

To delete the dynamically added ports, we can use regular IKE messages as
they are no timing issues with that.