Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Tero Kivinen
Yoav Nir writes: I think section 2.1 makes it clear that the TCP connections should be short-lived. Specifically, I would not send liveness checks, which are very short requests and responses over TCP. I would use UDP exclusively for those. As liveness checks are supposed to check whether

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Tero Kivinen
Yoav Nir writes: I agree with the concerns Yaron has raised here. I would much prefer that this be negotiated via notifications during the SA_INIT exchange. I see a number of benefits: 1. The TCP listening port could be explicitly exchanged (as data in the notification), rather

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-15 Thread Yoav Nir
On Jun 15, 2012, at 1:34 PM, Tero Kivinen wrote: 2. Since INIT always happens over UDP, as responder, I can immediately close any TCP connection that doesn't present an IKE header with an SPI I recognize. I don't agree that IKE_SA_INIT should always be over UDP. The first flight of

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-14 Thread Yoav Nir
Hi Yaron Responses are inline. Yoav On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote: Hi Yoav, thank you for the new draft. A few comments: - Please mention the question of IKE keepalive messages (liveness check). Do you expect these messages to each be on a new connection? Or to

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-14 Thread Yaron Sheffer
Hi Yoav, please see below. Thanks, Yaron On 06/14/2012 08:39 PM, Yoav Nir wrote: Hi Yaron Responses are inline. Yoav On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote: Hi Yoav, thank you for the new draft. A few comments: - Please mention the question of IKE keepalive messages

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-14 Thread John Leser
On 06/14/12 13:39, Yoav Nir wrote: Hi Yaron Responses are inline. Yoav On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote: Hi Yoav, thank you for the new draft. A few comments: - Please mention the question of IKE keepalive messages (liveness check). Do you expect these messages to each be

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-14 Thread Yoav Nir
On Jun 14, 2012, at 10:34 PM, John Leser wrote: On 06/14/12 13:39, Yoav Nir wrote: Hi Yaron Responses are inline. Yoav On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote: Hi Yoav, thank you for the new draft. A few comments: - Please mention the question of IKE keepalive

Re: [IPsec] New Version Notification for draft-nir-ipsecme-ike-tcp-00.txt

2012-06-14 Thread John Leser
On 06/14/12 16:25, Yoav Nir wrote: On Jun 14, 2012, at 10:34 PM, John Leser wrote: On 06/14/12 13:39, Yoav Nir wrote: Hi Yaron Responses are inline. Yoav On Jun 14, 2012, at 1:40 AM, Yaron Sheffer wrote: Hi Yoav, thank you for the new draft. A few comments: - Please mention the