[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Do we actually need dynamic ports?

To: Rajesh Mohan <Rajesh.Mohan@nexsi.com>
Subject: RE: Do we actually need dynamic ports?
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 5 Apr 2002 11:26:19 -0800 (PST)
cc: Michael Choung Shieh <mshieh@netscreen.com>, Tero Kivinen <kivinen@ssh.fi>, <ipsec@lists.tislabs.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
In-Reply-To: <D5E631D5313A324A80B1211963B5D43E0D5290@MBX-SVR1.Winnet.NEXSI.NET>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 5 Apr 2002, Rajesh Mohan wrote:

>
>
> > -----Original Message-----
> > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> > Sent: Friday, April 05, 2002 9:41 AM
> > To: Michael Choung Shieh
> > Cc: 'Tero Kivinen '; 'ipsec@lists.tislabs.com '; 'Paul
> > Hoffman / VPNC '
> > Subject: RE: Do we actually need dynamic ports?
> >
> >
> > On Thu, 4 Apr 2002, Michael Choung Shieh wrote:
> >
> > >
> > > Option (b) is to "negotiate a new (expanded) SA" and introduce extra
> > > lantency.
> >
> > How does it add latency over option a, which is negotiate an update?
> > It will be 1 round-trip in either case. Option b adds a delete
> > notification, but traffic can start flowing before the delete
> > notification, so no latency (over option a) is added.
> >
> > In any case, unless we reopen the discussion I eluded to, you HAVE to
> > negotiate with the other end to widen the selectors, so 1 round-trip
> > is the minimum you can do safely.
> >
>

> I think this is proposal is nothing more than a check mark in IKE
> marketing brochure saying that IKE could do dynamic ports. I don't
> think I will implement it if I have to buffer data traffic in
> between a session when my control channel gets me a new session
> key. Though there are no other good solutions, it does not mean we
> should agree to a impractical solution.

You're free to implement whatever you please. No one's holding a gun
to your head.

To me, it's more than a marketing bullet. I'm not in marketing and
plan on keeping it that way.

> I wish there was a world with simple ESP which could give me a
> secure tunnel between two points and a simple IKE which would take a
> identifier and give me session key. I could engineer lot of useful
> things using these protocols. All the other things we added could be
> pulled in when I have to deal with a hostile enemy.

You can implement whatever you want. Just don't expect everything you
implement to be reflected in the standard and don't expect to
interoperate with everyone. Remember to use vendor-id's.

jan

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:
- RE: Do we actually need dynamic ports?
  - From: "Rajesh Mohan" <Rajesh.Mohan@nexsi.com>

Prev by Date: RE: Do we actually need dynamic ports?
Next by Date: Re: Do we actually need dynamic ports?
Prev by thread: RE: Do we actually need dynamic ports?
Next by thread: RE: Do we actually need dynamic ports?
Index(es):
- Date
- Thread