On Sun, 19 Mar 2017, Eric Rescorla wrote:
I haven't fully thought this through, but if yu can switch-hit between TCP and UDP,why can't you just race the setup between TCP and UDP and then if you start getting packets on UDP, cut over to that.
There should really be a STRONG preference for UDP: - (encrypted) TCP in TCP with packetloss _really_ performs poorly and should be avoided at all costs - there is a reason IKE/IPsec uses UDP and ESP and not TCP. It is not susceptible to (spoofed) TCP-RST packets :P
Maybe I'm just too influenced by ICE :)
Yes, we are not limited to flow-level security :) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec