Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Tero Kivinen
Yoav Nir writes: I think section 2.1 makes it clear that the TCP connections should be short-lived. Specifically, I would not send liveness checks, which are very short requests and responses over TCP. I would use UDP exclusively for those. As liveness checks are supposed to check whether

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Tero Kivinen
Yoav Nir writes: I agree with the concerns Yaron has raised here. I would much prefer that this be negotiated via notifications during the SA_INIT exchange. I see a number of benefits: 1. The TCP listening port could be explicitly exchanged (as data in the notification), rather

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Yoav Nir
On Jun 15, 2012, at 1:34 PM, Tero Kivinen wrote: 2. Since INIT always happens over UDP, as responder, I can immediately close any TCP connection that doesn't present an IKE header with an SPI I recognize. I don't agree that IKE_SA_INIT should always be over UDP. The first flight of

Re: [IPsec] Fragmentation causing IKE to fail

2012-06-15 Thread Tero Kivinen
Valery Smyslov writes: * Find ways of making the packets smaller: move to PSK, fiddle with trust anchors so that only one cert is needed, avoid sending CRLs, hash-and-URL, etc. These are not always successful, and often require more configuration than we would like. Not an option either.