On Jun 7, 2012, at 10:26 AM, Nico Williams wrote: > On Thu, Jun 7, 2012 at 11:54 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: >> On Jun 7, 2012, at 9:43 AM, Paul Wouters wrote: >>> Also, if we are doing this, I'd prefer to be able to signal which tcp >>> port to use, to make it more flexible to bypass port 500 blocks (which >>> is part of the tcp 10000 implementation I believe) >> >> That seems fine to me. However, assuming that a firewall that blocks TCP/500 >> will not block TCP/somerandomnewnumber is not wise. > > Use port 80. > > (I'm being half facetious, half sarcastic, and half serious with this.)
Being non-all-of-the-above: that won't work. Many firewalls that are blocking UDP fragments do deep packet inspection on port 80 and will throw away traffic that doesn't look like HTTP. (Don't get me started on "look like"...) --Paul Hoffman _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
