Yoav Nir writes:
I think section 2.1 makes it clear that the TCP connections should
be short-lived. Specifically, I would not send liveness checks,
which are very short requests and responses over TCP. I would use
UDP exclusively for those.
As liveness checks are supposed to check whether
Yoav Nir writes:
I agree with the concerns Yaron has raised here. I would much prefer
that this be negotiated via notifications during the SA_INIT exchange.
I see a number of benefits:
1. The TCP listening port could be explicitly exchanged (as data in the
notification), rather
On Jun 15, 2012, at 1:34 PM, Tero Kivinen wrote:
2. Since INIT always happens over UDP, as responder, I can immediately
close any TCP connection that doesn't present an IKE header with an SPI
I recognize.
I don't agree that IKE_SA_INIT should always be over UDP. The first
flight of
Valery Smyslov writes:
* Find ways of making the packets smaller: move to PSK, fiddle
with trust anchors so that only one cert is needed, avoid sending
CRLs, hash-and-URL, etc. These are not always successful, and
often require more configuration than we would like.
Not an option either.