Hi, Tommy,
On 4/25/2017 8:34 PM, Tommy Pauly wrote: > I suggest that we can: > > - Clarify the text in section 2 (configuration) to say that the > default port is TCP 4500, and that implementations may communicate > other port options out of band as configuration. This is done for UDP > as well. This is the "explicit" indication of the ports you mention above. > - Port 443 is only mentioned in the figures for the appendix. We can > remove the mention of the port there. That will work. > As for the Stream Prefix of "IKETCP", I believe that we have good > reasons to keep it even if we are only using the protocol on port 4500 > (as would be the recommended/sanctioned) method. That is your decision, but IMO it is important that this ONLY helps check that you connect to a port running your service based on other information (e.g., port 4500 or port as indicated out of band). The key issue is that this doc should never claim that this text is intended to help you run this service *concurrently* with any other service on the same port. That's hijacking - because any existing service can define that string to mean whatever it wants (regardless of whether they do that now or not). > TCP port 4500 has been technically allocated to IPsec NAT Traversal > (which TCP encapsulation is) for a long while without a specific > protocol being defined. The concern that brought about the stream > prefix was to let VPN endpoints that may be running older non-standard > protocols to recognize TCP encapsulation in case they were already > squatting on the port (4500), or have configured TCP encapsulation to > run on a port they are using for their own custom VPN protocol. > > How does that sound? As a confirmation check, yes. Again, NOT to demux with legacy services. Joe _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
