RE: Do we actually need dynamic ports?

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 6:44 PM -0800 4/4/02, Sankar Ramamoorthi wrote:
>  > -----Original Message-----
>>  From: Jan Vilhuber [mailto:vilhuber@cisco.com]
>>  Sent: Thursday, April 04, 2002 5:29 PM
>>  To: Michael Choung Shieh
>>  Cc: Tero Kivinen; ipsec@lists.tislabs.com; Paul Hoffman / VPNC
>>  Subject: RE: Do we actually need dynamic ports?
>>
>  >
>>  On Thu, 4 Apr 2002, Michael Choung Shieh wrote:
>>
>>  >
>>  > Doing extra IKE to creat a new sa DURING application will
>>  introduce extra
>>  > latency and it may cause packet drop or retransmit.  It's
>>  probably not
>>  > preferred if every FTP put/get will delay one or two
>>  seconds when passing
>>  > through IKE.
>>  >
>>
>>  I don't think I'm going to reopen that discussion. We're talking about
>>  the option of:
>>
>>  a) negotiate an 'update' to an SA
>>  or
>>  b) negotiate a new (expanded) SA and delete the old one
>>
>>  In both cases you need an active phase 1 IKE SA. If you still have one
>>  around, no extra expense is incurred. If not, you'll need to add one.
>>
>>  Doing this without negotiatiing something wasn't one of the proposed
>>  options.
>
>proposed where? - I do not see it in the requirements document.
>Are u implying the draft from pyada and you?

No, in the (a) and (b) list that I proposed above. There has to be 
some negotiation: it isn't OK for the sender to say "I'm going to 
open up this port on your box because I want to and you can't do 
anything about it".

>The requirement for minimizing the latency seems a genuine one,
>particulary when using service based vpns - since the hit is now
>potentially on every new connection.

We are not talking about new connections here: we are talking about 
dynamically changing the policy in an existing SA to include more or 
fewer ports.

--Paul Hoffman, Director
--VPN Consortium