At 9:43 AM -0700 2/5/09, Grewal, Ken wrote:
>If there are alternatives that would allow operation over 'well known' ports
>such as 80, then those would be preferable.
Not necessarily. There are likely to be folks who have firewalls that inspect
what goes on port 80 and, seeing non-HTTP gibberish
I looked for some traffic stats in a real, large enterprise network and
I found that UDP comprises 25-30% vs. TCP 70-75% of all traffic. The
stats were measured on multiple places in the network, and multiple
samples were taken over the past 6 weeks. Also, there is a slow but
consistent growth of
I had the same problem with our corporate firewall and had to take the call
from home and then cut off early to allow for travel time back to office before
the next meeting.
If there are alternatives that would allow operation over 'well known' ports
such as 80, then those would be preferable.
By a 'colluding peer', I meant that both sides need to negotiate the same
policy (e.g. this is sensitive data, so only allow encrypted traffic or vice
versa).
I think this boils down to how tight the admin policy is and also whether it is
desirable to allow encrypted/clear policies for different
> "Yoav" == Yoav Nir writes:
>> > Did you encounter any major technical problems (e.g. one
>> person's > corporate firewall prevented him from joining)?
>>
>> Our corporate firewall did block teamspeak ports, but as I knew
>> about this beforehand, I was able to get the firewall rules
[[ Changed the subject line because Tero didn't. No other changes. ]]
At 2:34 PM +0200 2/5/09, Tero Kivinen wrote:
> > IKEv2-bis
>> Issue #11: Clarify which traffic selectors to use in rekeying.
>> Paul: [unclear]. Tero: if you have SAs that violate the new
>> policy, you e
At 9:52 AM +0200 2/5/09, Yaron Sheffer wrote:
>Hi Gabriel,
>
>This thread is precisely the discussion that Paul mentions.
>
>The two alternatives I see on the table right now (Paul might have different
>opinions) are:
>
>- Publish a modified/wrapped ESP as Standards Track, and heuristi
Tero Kivinen wrote:
> > Can we live with push-to-talk?
>
> Push-to-talk works well for normal discussion, but it was
> impossible to use when giving presentation, which meant that
> I myself changed the setting to voice activated microphone
> when I started my presentation, and then changed back t
> IKEv2-bis
> Issue #11: Clarify which traffic selectors to use in rekeying.
> Paul: [unclear]. Tero: if you have SAs that violate the new
> policy, you either delete them or you rekey. Prefers a rekey,
> even if this is narrowing the SA. Mostly useful for decorrelat
Yaron Sheffer writes:
> If you feel like going into detail, here are some things we would
> like to understand: is the voice+IM format sufficient, or is
> application sharing a Must?
I think voice + IM is sufficient, but slide sharing would have been
even better. Now it was sometimes bit hard to k
Grewal, Ken writes:
> The 'bait and switch' attack where a connection uses ESP-NULL and
> then at a later stage uses ESP-Encrypted may also be possible
> unintentionally. E.g. Connection to a server (cluster / farm) to
> gain access to a 'normal' service uses ESP-NULL and then at a later
> stage, w
Grewal, Ken writes:
> Cache eviction - how will this work?
> We can keep adding SAs (based on heuristics), but how do we decide
> when a given SA is no longer needed? This compounds the issues with
> keeping state, as in the best case, cache eviction will likely be
> policy based. How is the policy
Also, REDIRECT_SUPPORTED needs to be sent by both peers if we want to enable
this case. Otherwise, when the initiator wants to redirect its peer, it cannot
know that the responder actually supports this capability.
Thanks,
Yaron
> -Original Message-
> From: ipsec-boun...@ietf.or
Hi Ken, Yoav,
I agree with Ken that the policy needs not be black and white, but for a
different reason. Some people will treat deep packet inspection by middleboxes
as an optional service: you want it for most traffic, but some traffic is too
sensitive and you choose to prioritize confidential
14 matches
Mail list logo
