Are port numbers really that precious (particularly if we can allow for a >1024 port allocation) that we have to force Deep Packet Inspection on systems that want to disallow non-TLS traffic, or at least, to identify it so that mis-configured clients can be fixed?
Alan DeKok <[email protected]> wrote: > For example, it may be useful for firewalls to allow TACACS+ traffic, > but only if it's encrypted. > The non-TLS TACAC+ connections have the first octet as 0xc0 or 0xc1, > and the second octet is 0x01, 0x02, or 0x03. Whereas TLS begins with a > TLS handshake 0x16, followed by the TLS major version 0x03. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
