[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: [Ipsec] big IKE packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 31 Aug 2004 16:23:25 -0400
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
In-reply-to: Message from Paul Koning <pkoning@equallogic.com> of "Tue,31 Aug 2004 15:40:51 EDT."<16692.54339.116599.315927@gargle.gargle.HOWL>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL><16035.1093979493@marajade.sandelman.ottawa.on.ca><16692.54339.116599.315927@gargle.gargle.HOWL>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
    Michael> We could have an option to run over TCP.  But, consider if
    Michael> one is doing IPsec in the first place to protect TCP
    Michael> management sessions. Ooops.

    Paul> So?  That's no more an issue than it is for UDP.  A TCP IKE
    Paul> session would not go through IPsec, just like port 500
    Paul> UDPgrams don't use IPsec.

  But, they would be vulnerable to the TCP RST attacks that we might in 
fact trying to defend against in the first place.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTTePIqHRg3pndX9AQGvugP+LkHcpP9AeXKpSk1IxZn6ltWYWWhP1vHa
GtfQ0hS6xKcedZxlfNpKXQBc1CT96GNLOjAALzBrBffOpOi8Ukz98AVno3nI6D18
Gg7wZeIBSxIJnhJ6sg3HeWKpIc7iZrRTFWsV5KSg9o1qySYIbWxBAyMaTnY0klGZ
KslXiv69Ztk=
=ue5L
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] big IKE packets
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- [Ipsec] HASH and URL
  - From: suren <suren@intotoinc.com>
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread