[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2: prepending four octets

To: ipsec@lists.tislabs.com
Subject: Re: IKEv2: prepending four octets
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sat, 22 Mar 2003 02:36:13 +0800
CC: Yoav Nir <ynir@CheckPoint.com>
References: <3E798E13.5060307@roc.co.in>
Sender: owner-ipsec@lists.tislabs.com

ravivsn@roc.co.in (Ravi) writes:
> So, we will not disturb these NAT devices to work on port 500
> Since, IKEv2 is now building from scratch we shall standardise Port 4500 
> instead  of 500.The non Zero in first
>  four bytes indicates IPsec packets and Zeros indicate IKE packets.

The problem with that is that it causes long timeout during the
transition period, i.e if initiator supports both IKEv1 and IKEv2, it
would start with IKEv2 to port 4500. The responder which only supports
IKEv1, would not even see those packets, and the initiator would have
to wait for the timeout (tens of seconds or even few minutes?) before
falling back to IKEv1 and port 500.

If the initiator starts with port 500 (with IKEv2 protocol) then the
IKEv1 implement will see the packet, and hopefully it will send back
notification INVALID-MAJOR-VERSION. There will be implementations out
there that will not send that notification back, but for those who did
this properly and will send the notification, can get rid of the extra
timeout. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: IKEv2: prepending four octets
  - From: Ravi <ravivsn@roc.co.in>

References:
- Re: IKEv2: prepending four octets
  - From: Ravi <ravivsn@roc.co.in>

Prev by Date: Re: Secure remote access with IPsec
Next by Date: Re: RE2: Do ipsec vendors care about privacy?
Prev by thread: Re: IKEv2: prepending four octets
Next by thread: Re: IKEv2: prepending four octets
Index(es):
- Date
- Thread