Date: Saturday, 19 September 2015 00:44
To: Valery Smyslov <sva...@gmail.com>
Cc: IPsecME WG <ipsec@ietf.org>, Paul Wouters <p...@nohats.ca>
Subject: Re: [IPsec] WG Interest in TCP Encapsulation
You asked about how widespread this issue is. I cannot provide exact
numbers her
>>> The real question is whether the networks that don't transport ESP or
>>> ESPinUDP block those packets on purpose or by accident. I don't think
>>> we really have any good numbers on this.
>>> If we are doing this as a "workaround" to break through the administrative
>>> boundaries, than we
Hi Valery,
The draft doesn't prevent http encapsulation for the purpose of traversing web
proxies for example, and this would be considered one "use-case" that would
make use of TCP encapsulation. The draft do provide such flexibility.
The objective of this proposal is to provide a
Hi Valery,
As Samy mentioned, this draft does allow for the traffic to looks like HTTPS
traffic (using TLS over port 443), but doesn’t require it. It is about defining
a standard way to add framing to IKEv2 and ESP when put over a TCP-based
stream; the applications of this may vary in
hanks
Samy.
From: Tommy Pauly <tpa...@apple.com>
Sent: Sep 15, 2015 8:20 PM
To: Tero Kivinen
Cc: IPsecME WG
Subject: Re: [IPsec] WG Interest in TCP Encapsulation
Hello Tero,
I have read the previous draft for using TCP to avoid fragmentation problems,
and I believe that the new TCP-encapsulatio
On Wed, 16 Sep 2015, Yoav Nir wrote:
This draft is proposing both IKE and ESP over the TCP connection, so the
protocol will work in situations where UDP (even with fragmentation at the IKE
rather than IP layer) fails.
We’ve had something like this working with IKEv1 for over 10 years. Many
Hi Paul,
I encourage you to read the new draft, as I believe it addresses many of your
concerns. It covers the potential new vulnerabilities (RST), as well as how to
frame the datagrams in a stream along with an explanation of performance
concerns. It also makes it clear that TCP should only
> On Sep 16, 2015, at 5:01 AM, Tero Kivinen wrote:
>
> Tommy Pauly writes:
>> I wanted to get a sense of WG interest in working on a standard for running
>> IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that
>> currently block UDP traffic.
>
> Before we
Hello Tero,
I have read the previous draft for using TCP to avoid fragmentation problems,
and I believe that the new TCP-encapsulation draft is aimed at solving a
different use case with a different approach.
The current standard for IKEv2 fragmentation is definitely the right thing to
do to
Tommy Pauly writes:
> I wanted to get a sense of WG interest in working on a standard for running
> IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that
> currently block UDP traffic.
Before we made the UDP framentation document, our original plan was to
run IKEv2 over TCP,
Hello,
I wanted to get a sense of WG interest in working on a standard for running
IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that
currently block UDP traffic.
Here’s the link to the draft:
https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-00
11 matches
Mail list logo