[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pki4ipsec] Re: [Ipsec] big IKE packets

To: Dan McDonald <danmcd@east.sun.com>
Subject: Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 31 Aug 2004 16:38:10 -0400
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
In-reply-to: Message from Dan McDonald <danmcd@east.sun.com> of "Tue,31 Aug 2004 16:06:27 EDT."<20040831200627.GJ100496@nowhere.sfbay.sun.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL><16035.1093979493@marajade.sandelman.ottawa.on.ca><20040831200627.GJ100496@nowhere.sfbay.sun.com>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Dan" == Dan McDonald <danmcd@east.sun.com> writes:
    Dan> Can't modern firewalls tag the initial segment's ID, and let
    Dan> matching IDs through?  I know there's packet reordering and
    Dan> implementations that send the last fragment first, but the
    Dan> former is relatively rare, and the latter can be fixed.

  Yes, modern firewalls do all of this.

  But, consumer grade DSL sharing devices, and multiple "cheap" DSLAM
boxes that provide for "virus protection" do not do this.

  My experience is that neither side of the IPsec connection was in
control of these boxes, often unaware of them, and worse -- the ISPs
themselves were often ignorant of them.

  IKEv1 PSK will work fine, or RSA without CERTREQ/CERT, but not with
the CERT in place.

    Dan> And IPv4 can be configured to act just like IPv6 in this
    Dan> regard.  Our IP, for example, sets the DF bit by default on
    Dan> outbound packets.

    Paul> I dislike inventing new protocols to address previously solved
    Paul> problems.

    Dan> I agree with Paul 100%.  Let's not reinvent the wheel more than
    Dan> we have to in IKEv2.
  
  I agree. I'd rather use TCP. I don't think it is practical to do that.
  (remember, that I'd prefer never to send the certificates in-band at all...)

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTThsYqHRg3pndX9AQFI3gP+KHxGI53iwsgEbLRPKUAo5JjPywVX/Apv
hKGRY72m6A6AKLNr+aGLz1MYwruYPHRVKd9sbEB5uT0xC3RkR9vGyUOvT1DvF7U3
pQ2gMf/zQ1Pnp3zq6LgEVBd/9eYloUc87CkVszvgvPVLGV1lEeFv7Tb1K4YqXOoz
dujVlPZjGSA=
=dk/J
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] HASH and URL
  - From: suren <suren@intotoinc.com>
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Dan McDonald <danmcd@east.sun.com>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: RE: [Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: RE: [Ipsec] big IKE packets
Index(es):
- Date
- Thread