[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: ipsec@lists.tislabs.com
Subject: Re: [Ipsec] big IKE packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 01 Sep 2004 14:32:53 -0400
Cc: Yoav Nir <ynir@checkpoint.com>
In-reply-to: Message from "Yoav Nir" <ynir@checkpoint.com> of "Wed,01 Sep 2004 14:44:29 +0300."<200409011144.i81BiY014616@michael.checkpoint.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <200409011144.i81BiY014616@michael.checkpoint.com>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Yoav" == Yoav Nir <ynir@checkpoint.com> writes:
    Yoav> Oops, sorry. I meant Michael's idea.

  So, I'm not attached to it.

  Running over TCP is certainly an option --- but as you indicate it
means switching somehow to UDP if you need to do NAT-T.

  That's why I suggested a mechanism that lives entirely within IKE, 
and that permits IKE to verify that each fragment arrived independantly.
  
  I believe that we will see some increase in host<->host IPsec to
secure long-lived TCP connections against attacks. 
  I would hate to introduce an unprotected, long-lived TCP connection.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTYVz4qHRg3pndX9AQGqhQP+MqOQxic0YFJjDtR7chrclD8g6GhuQ68B
rK2Kt+4JGsCrdfeOnb2KacUv9jV6TFCR42NlLlU1G8wCUQFRXNeBslU9wI47n8WC
986tghICETeeaE+xJzQf0Xg2U1FqKyz6G/B1p3ll7wNt0gD/IjTi/m+24STJ86NP
TqxKnEuFr6s=
=anmc
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- RE: [Ipsec] big IKE packets
  - From: "Yoav Nir" <ynir@checkpoint.com>

Prev by Date: [Ipsec] Re: [Pki4ipsec] HASH and URL
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: RE: [Ipsec] big IKE packets
Next by thread: RE: [Ipsec] big IKE packets
Index(es):
- Date
- Thread