On Tue, 25 Apr 2017, Kathleen Moriarty wrote: [ Note at least Joe Touch seemed to think I'm an author. I am not. I meant the royal "we" as in the IPsecME WG. I have a vested interest because as an implementer I want an interoperable standard for this ]
The port discussion in other AD reviews and discouraging the use of 443 may change this to be identifiable traffic over TCP 4500 with the required stream prefix only for legitimate uses
If you insist on this, one of two things will happen: 1) The landscape stays as fragmented and non-interoperable and it will hurt IKE/IPsec and we will see more SSL VPN varients and openvpn usage. No one will implement the resulting RFC. 2) Everyone will implement draft-ietf-ipsecme-tcp-encaps-09 which will never become an RFC.
, or in reality, 443 if this stays undocumented because of existing implementations. Warren commented on operators not being able to detect this traffic is an important one, but I think it's fine to say the intent is to circumvent ACLs or firewall rules as opposed to avoiding detection. Then saying that avoiding detection is a result or unintended side effect.
Could the ADs come up with the weasel words they and Joe Touch would find acceptable? I don't get the idea there is agreement there. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
