On Wed, 31 Aug 2016, Mirja Kuehlewind (IETF) wrote:
thanks for providing the reference to the draft. That was very helpful and
confirmed my initial assumption that you don’t want to ‚change‘ TCP. So this
work seems to be fine in this group, however, the wording in the charter is
very misleading. What's about the following?
"There have been middle boxes blocking IKE negotiation over UDP. To
make IKE work in these environments, IKE packets need to be
encapsulated in ESP over TCP. Therefore the group will define a mechanism to
use IKE and IPsec over TCP. Further the group will provide guidance
how to detect when IKE cannot be negotiated over UDP and TCP as a fallback
should be used.“
"IKE packets need to be encapsulated in ESP over TCP" is not correct.
Both IKE and ESP are "independently" encapsulated over TCP. First the
IKE negotiation happens, normally over UDP port 500 or when NAT is
involves over UDP port 4500. We are now introducing a method to
encapsulate this over TCP. Once the IKE session is up, we have
negotiated an ESP method, which we will _also_ need to encapsulate
over the same TCP stream. As with ESP over UDP, we place markers in
the stream to distinguish IKE from ESP packets within the TCP stream.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
