[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2: prepending four octets
Hi,
Tero Kivinen wrote:
>ravivsn@roc.co.in (Ravi) writes:
>
>>
>>So, we will not disturb these NAT devices to work on port 500
>>Since, IKEv2 is now building from scratch we shall standardise Port 4500
>>instead of 500.The non Zero in first
>> four bytes indicates IPsec packets and Zeros indicate IKE packets.
>>
>
>
>The problem with that is that it causes long timeout during the
>transition period, i.e if initiator supports both IKEv1 and IKEv2, it
>would start with IKEv2 to port 4500. The responder which only supports
>IKEv1, would not even see those packets, and the initiator would have
>to wait for the timeout (tens of seconds or even few minutes?) before
>falling back to IKEv1 and port 500.
>
>If the initiator starts with port 500 (with IKEv2 protocol) then the
>IKEv1 implement will see the packet, and hopefully it will send back
>notification INVALID-MAJOR-VERSION. There will be implementations out
>there that will not send that notification back, but for those who did
>this properly and will send the notification, can get rid of the extra
>timeout.
>
I understand the reasoning. Thank you for this. But, to me it seems unnecessary complication. I feel, it is reasonable to wait until timeout and standardize one port for both NAT/No-NAT traversal.
--
The views presented in this mail are completely mine. The company is not responsible for whatsoever.
----------
Ravi Kumar CH
Trainee Research Associate
Rendezevous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184
ROC home page