[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2: prepending four octets

To: "Yoav Nir" <ynir@CheckPoint.com>
Subject: Re: IKEv2: prepending four octets
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Tue, 25 Mar 2003 19:00:17 +0100
cc: "'Ravi'" <ravivsn@roc.co.in>, "'Tero Kivinen'" <kivinen@ssh.fi>, ipsec@lists.tislabs.com
In-reply-to: Your message of Tue, 25 Mar 2003 09:44:47 +0200. <001201c2f2a2$698ae810$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   I think that we should at least agree that a peer that only works with port
   4500 such as Ravi describes should interoperate with all IKEv2
   implementations.
   
=> I agree.

   IOW an IKEv2 implementation must not assume that peers start the
   negotiations on port 500.

=> I agree.

   Coding a Remote Access client like that is
   acceptable, since clients always initiate the first IKE negotiation.
   Gateways may initiate the negotiation on port 4500 when working with IKEv2
   peers (in fact, this could be a recommendation at the SHOULD level), but
   they SHOULD also listen on port 500.
   
=> I believe we should give at least a MAY to initiate over 500 and 4500,
perhaps with a SHOULD for port 4500 if one knows there is a NAT and a SHOULD
for port 500 if one knows there is no NAT. In fact, this is more in the
scope of a BCP. About listening, I am in favor of a MUST for both 500
and 4500.

Regards

Francis.Dupont@enst-bretagne.fr

Follow-Ups:
- Re: IKEv2: prepending four octets
  - From: Ravi <ravivsn@roc.co.in>

References:
- RE: IKEv2: prepending four octets
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: Re: IKEv2: prepending four octets
Next by Date: me tarzan- me jane suggested text change
Prev by thread: RE: IKEv2: prepending four octets
Next by thread: Re: IKEv2: prepending four octets
Index(es):
- Date
- Thread