Mirja Kuehlewind (IETF) writes: > thanks for providing the reference to the draft. That was very > helpful and confirmed my initial assumption that you don’t want to > ‚change‘ TCP. So this work seems to be fine in this group, however, > the wording in the charter is very misleading. What's about the > following?
Yes, we do NOT want to make any changes to the TCP, not the TCP outside or the TCP inside (or UDP, ICMP whatever inside, the inside traffic can of course be something else than TCP, but usually there will be TCP also). > "There have been middle boxes blocking IKE negotiation over UDP. To > make IKE work in these environments, IKE packets need to be > encapsulated in ESP over TCP. Therefore the group will define a > mechanism to use IKE and IPsec over TCP. Further the group will > provide guidance how to detect when IKE cannot be negotiated over > UDP and TCP as a fallback should be used.“ That is bit misleading, as IKE packets are not encpasulated in the ESP, instead both IKE and ESP packets are encapsulated in (very simple) encapsulation protocol that is running over TCP. I.e., the very simple encapsulation protocol consists just the 2-octet length prefixing the packet, and nothing else. So more accurate text would be: There have been middle boxes blocking IKE negotiation over UDP. To make IKE work in these environments, IKE and ESP packets need to be transmitted over TCP. Therefore the group will define a mechanism to use IKE and IPsec over TCP. Further the group will provide guidance how to detect when IKE cannot be negotiated over UDP and TCP as a fallback should be used. > I also removed some redundancy and added a point that guidance is > needed to detect blocking. We could still at the current draft as a > starting point... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
