Re: IKEv2: prepending four octets

[Ravi <ravivsn@roc.co.in>]

Hi,

Tero Kivinen wrote:

>

ravivsn@roc.co.in (Ravi) writes: > >> >>So, we will not disturb these NAT devices to work on port 500 >>Since, IKEv2 is now building from scratch we shall standardise Port 4500 >>instead of 500.The non Zero in first >> four bytes indicates IPsec packets and Zeros indicate IKE packets. >> > > >The problem with that is that it causes long timeout during the >transition period, i.e if initiator supports both IKEv1 and IKEv2, it >would start with IKEv2 to port 4500. The responder which only supports >IKEv1, would not even see those packets, and the initiator would have >to wait for the timeout (tens of seconds or even few minutes?) before >falling back to IKEv1 and port 500. > >If the initiator starts with port 500 (with IKEv2 protocol) then the >IKEv1 implement will see the packet, and hopefully it will send back >notification INVALID-MAJOR-VERSION. There will be implementations out >there that will not send that notification back, but for those who did >this properly and will send the notification, can get rid of the extra >timeout. > I understand the reasoning. Thank you for this. But, to me it seems unnecessary complication. I feel, it is reasonable to wait until timeout and standardize one port for both NAT/No-NAT traversal. -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ---------- Ravi Kumar CH Trainee Research Associate Rendezevous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page