[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Do we actually need dynamic ports?

To: "Jan Vilhuber" <vilhuber@cisco.com>
Subject: RE: Do we actually need dynamic ports?
From: "Rajesh Mohan" <Rajesh.Mohan@nexsi.com>
Date: Fri, 5 Apr 2002 12:07:14 -0800
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcHc1130h7OY6/kdSzqRSEe3SkT0EQABGSDA
Thread-Topic: Do we actually need dynamic ports?

It looks like, a english professor will get more work done on this list than a engineer.

Anyway, my point is, your proposal does not have my vote, for whatever it is worth.



> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> Sent: Friday, April 05, 2002 11:26 AM
> To: Rajesh Mohan
> Cc: Michael Choung Shieh; Tero Kivinen; ipsec@lists.tislabs.com; Paul
> Hoffman / VPNC
> Subject: RE: Do we actually need dynamic ports?
> 
> 
> On Fri, 5 Apr 2002, Rajesh Mohan wrote:
> 
> >
> >
> > > -----Original Message-----
> > > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> > > Sent: Friday, April 05, 2002 9:41 AM
> > > To: Michael Choung Shieh
> > > Cc: 'Tero Kivinen '; 'ipsec@lists.tislabs.com '; 'Paul
> > > Hoffman / VPNC '
> > > Subject: RE: Do we actually need dynamic ports?
> > >
> > >
> > > On Thu, 4 Apr 2002, Michael Choung Shieh wrote:
> > >
> > > >
> > > > Option (b) is to "negotiate a new (expanded) SA" and 
> introduce extra
> > > > lantency.
> > >
> > > How does it add latency over option a, which is negotiate 
> an update?
> > > It will be 1 round-trip in either case. Option b adds a delete
> > > notification, but traffic can start flowing before the delete
> > > notification, so no latency (over option a) is added.
> > >
> > > In any case, unless we reopen the discussion I eluded to, 
> you HAVE to
> > > negotiate with the other end to widen the selectors, so 1 
> round-trip
> > > is the minimum you can do safely.
> > >
> >
> 
> > I think this is proposal is nothing more than a check mark in IKE
> > marketing brochure saying that IKE could do dynamic ports. I don't
> > think I will implement it if I have to buffer data traffic in
> > between a session when my control channel gets me a new session
> > key. Though there are no other good solutions, it does not mean we
> > should agree to a impractical solution.
> 
> You're free to implement whatever you please. No one's holding a gun
> to your head.
> 
> To me, it's more than a marketing bullet. I'm not in marketing and
> plan on keeping it that way.
> 
> > I wish there was a world with simple ESP which could give me a
> > secure tunnel between two points and a simple IKE which would take a
> > identifier and give me session key. I could engineer lot of useful
> > things using these protocols. All the other things we added could be
> > pulled in when I have to deal with a hostile enemy.
> 
> You can implement whatever you want. Just don't expect everything you
> implement to be reflected in the standard and don't expect to
> interoperate with everyone. Remember to use vendor-id's.
> 
> jan
> 
>  --
> Jan Vilhuber                                            
> vilhuber@cisco.com
> Cisco Systems, San Jose                                     
> (408) 527-0847
> 
>

Prev by Date: Re: Do we actually need dynamic ports?
Next by Date: Re: Is TS agreement necessary?
Prev by thread: RE: Do we actually need dynamic ports?
Next by thread: RE: Do we actually need dynamic ports?
Index(es):
- Date
- Thread