On Mon, 29 Aug 2016, Spencer Dawkins wrote:
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
This sentence doesn't parse for me - or maybe I just need more security
clue?
"IKEv1 using shared secret authentication was partially resistance to
quantum computers."
s/resistance/resistant
I don't object to this text
"There have been middle boxes blocking IKE negotiation over UDP. To
make IKE work in these environments, IKE packets need to be
encapsulated in a TCP tunnel.
"In a TCP tunnel" is perhaps a little confusing, as IPinIP or an IPsec
tunnel was not meant. Instead, we meant "encapsulated in TCP".
The group will define a mechanism to
tunnel IKE and IPsec over a TCP-based connection. This method is
intended to be used as a fallback when IKE cannot be negotiated over
UDP. The group will create a method where IKEv2 and IPsec packets can
be encapsulated in the TCP connection."
going for external review, but I'd love to understand better what the
resulting protocol stack looks like. I get the part about encapsulating
IKEv2 in TCP, but is encapsulating IPsec in TCP going to give us a
general-purpose "IP over TCP" mechanism?
It will be "ESP over TCP" similar to how we now have "ESP over UDP".
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
