RE: IKEv2:limitation of 4k for UDP payload

["Yoav Nir" <ynir@CheckPoint.com>]

That Check Point implements it is nice, if you have a Check Point client.
This does not add interoperability, which is the main concern of the IKE
document.

I don't think we can standardize of TCP as a MUST requirement, because many
TCP stacks are vulnerable to DoS attacks.  It would be nice, though, to have
an optional IKE over TCP.

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Vinay K Nallamothu
Sent: Thursday, March 27, 2003 8:07 AM
To: Ravi
Cc: ipsec@lists.tislabs.com
Subject: Re: IKEv2:limitation of 4k for UDP payload


On Wed, 2003-03-26 at 19:12, Ravi wrote:
> and why UDP is chosen for IKE over TCP.
Just rewording one of the earlier discussion:

One of the design requirements is transport protocol independence
because of which IKE can not assume about the reliable streaming
capabilities of the transport layer such as TCP. This seems to be the
reason why UDP was chosen over TCP.

But this does not stop from implementing IKE over TCP. In fact few
implementations already do this. For e.g: Check Point FW-1 NG FP3

You can find the original discussion at
http://www.sandelman.ottawa.on.ca/ipsec/1999/05/msg00014.html

vinay