pseudonyms, so that would be bad idea if full protection is needed.
Is it reasonable to describe this Pseudonum update mechanism seperately, or
do you think it is too heavily connected to the quantum resistance
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv
ng to resolv internal
addresses. It's the whole MIF/split-horizon DNS problem, and I think it's
all a bad IPv4-specific idea, and we should be trying to kill it.
In an IPv6 world, we have better ways to build walled gardens.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman
usually v4) in order to get v6 to my
laptop from coffee shops regularly. I haven't tried this over NAT64, but I
will change this to use DNS. Of course, I wouldn't need this tunnel in a
NAT64 network, since I'd have v6, so I'll setup some v4 IPsec too for the
next IETF and try it out.
-
client comes in he
> does not use the ID_KEYID of \x1c747c060d209a223d1f9f51b0351b54, but
> he uses the new ID_KEY_ID \x7ca765c1972372cecf78184d1a628d05 instead.
I can buy this.
It seems independantly useful to me.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandel
keys when nobody is going to use them.
I would like people to document an interface, but I have no desire to expose
it to users. In your Android example, I'm perfectly happy with having a
shell and a netlink/pfkey socket as the "interface".
--
Michael Richardson <mcr+i...@sandelman.ca
uld wind up with a new Group PSK like we had with IKEv1.
> o Would we be happy with always negotiating a child SA (as none of the
> three proposals for stirring in the PPK attempt to protect the initial
> IKE SA)?
I wonder if this might be simpler and more reliable to just alwa
they listen,
or they don't.
Isn't this "solved" by putting the security context in, and simply not
talking about it?We still tell users not to share keys, which is what we
plan to do anyway.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software W
Yoav Nir <ynir.i...@gmail.com> wrote:
> 4 Why do we need a new port? What goes wrong if the
> packets go to port 4500?
I think that TE/load-balancer in the network calculates the same tuple hash
and so takes the same path. (Presuming that it ignores the source UDP port)
Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> wrote:
>> Michael Richardson writes: > > - Authentication; if someone with a
>> Quantum Computer can break the DH > > in real time, do we care if he
>> can act as a man-in-the-middle? Scott >
Thank you for the reply, it helps me understand that AES-256 is worthwhile.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- (Camping this week!)
signature.asc
Description: PGP sig
hand, "2 qubit silicon gate" in 2016.
I believe that we need 128 to interact to break AES-128?
I'm just trying understand how the revolution that will take us from ~12
to 128, won't take us to 256 the following week.
I feel kinda like we are re-arranging the chairs on the titanic here.
--
’s my list of requirements (and my opinions); did I miss any
> requirement that you think is important? What are you opinions about
> these requirements?
We have to be able to negotiate to use of these extensions.
I want to suggest something further: that we might want to negotiate use of
some
New charter seems fine.
(I am pessimistic about the milestones, but I suggest changing them as needed
rather than planning to take longer.)
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP sig
SSIVE MODE message, we process until we
can see the ID, and then INVALID-MAJOR-VERSION?
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
IPs
so it makes sense to
(it seems that /56 and /60 are the suite spots)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/
ered harmful draft /
> ikev1-diediediediedie...
Yes, I would say so.
I'd even suggest that maybe it needs a CVE against products that have IKEv1
turned on by default.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
d one to avoid pre-distribution of the pad, but as
long as the attacker can record that, and eventually break the encryption
protecting sending the offset, then it fails.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
De
e good advice.
Perhaps this is worth a IKE 2.1 value --- an initiator that says 2.1
is saying that it will always put the COOKIE last.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_
upports (without adding a round trip to the
> protocol).
This is why I suggested... if you have to add a round trip anyway... might as
well solve a puzzle or something along the way.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
vided-chaff quickly. If a new protocol was
quantum resistant, and *also* provided a measure of DDoS resistance, then
that would probably significantly improve the industry interest in it.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
engths up to 4096 bits.
So, this is different than "2048" and "4096".
This text would support a key length of 2304, for instance.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consul
ave actually do all of that
rekeying. You can simply look at the CRL, and if it turns out the key is
bad, you kill the SA, regardless of the PARENT SA lifetime.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> wrote:
>> From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Michael
>> Richardson
>>
>> It is my belief/memory that IKEv2 implementations should NOT limit SA
>> (PARENT or CHILD) lifet
-remembered?
What document did I miss?
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Yoav Nir <ynir.i...@gmail.com> wrote:
> “Some point” has arrived, and I don’t think group #2 should even be
> SHOULD- at this point.
MAY or SHOULD NOT?
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.as
than the combination of AES-CBC and
> HMAC-SHA-something. I think it’s a prime candidate for MUST. CTR was
> always uncommon. ChaCha20+Poly1305 is so new that it can't be MUST this
> iteration. Maybe next time.
Agreed.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
I guess the can-o-worms called ECDSA will show up too as a SHOULD+.
Does 3DES go to MAY?
Does SHA1 go to MUST-?
We hadn't listed SHA2 at all before.
We also have no GCM/CCM things specified.
Are we obligted to list them as SHOULD+ for awhile?
I think that the updates will otherwise be non-controve
read a bit about NTRU on wikipedia, of which I knew nothing before.
There are patents involved, I don't know which ones and I don't know when
they expire, but it seems like it isn't that new
an idea. Apparently they wrote some kind of exemption for open source.
--
Michael Richardson mcr+i
and the
AES-256 encryption algorithm. RFC 2409 is the only version
of the IKE standard that leverages symmetric pre-shared keys
in a manner that may achieve quantum resistant confidentiality.
So, all of IKEv2 is out, according to them?
Or they just didn't consider it yet?
--
Michael
the methods also use traditional DH, and IKEv2 defines ECDH methods
(AFAIK, haven't implemented yet).
I wonder if QC factoring of ECC easier than finding
SHA1/SHA2/etc. collisions, or if there is less effort being spent on the
secure hashes.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman
, however there are
many weak clients that are not smartphones (besides IoT world
that could be some SOHO devices, like sensors, home appliance,
SOHO routers etc.).
It seems to me there can not be a one-size-fits all approach.
Focus on a smaller scope of problem.
--
Michael Richardson
problem, but on a generic operating system
(Linux, *BSD, probably windows), it's a problem to get the right bookeeping
in place.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
(which might be keystrokes).
It also lets the sender send a NH=0 chaff packet with a bunch of padding so
that it looks like a real data.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
be useful to write down
somewhere.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Yoav Nir ynir.i...@gmail.com wrote:
Changes include:
- Clarified keying material derivation for IKE
- Calrified that IV is included in the Encrypted payload
- Fixed the requirements for padding in the Encrypted payload so as not
to require padding bytes.
- Added a
that HMAC-SHA2/AES
might become weak, that it would seem odd to depend upon SHA2 as the PRF.
At least, users might not understand.
(noting that SHA2 != HMAC-SHA2, and also that the inputs to the PRF as not
very easily manipulated...)
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software
that IKEv2 has no requirement that the
two ends authenticate with the same algorithm. I agree that this makes it
difficult to know which of many algorithms to use; I think the answer is
that CERTREQ payloads must be present.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software
of working around someone else’s
mistakes.
Hahaha, that's really funny.
I guess you don't need to interop with anything you didn't buy.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
and only choice, and may lose
algorithm agility in protocols.}
I am supportive of defining code points for these.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
. For much of the life of the
IPsec specification, software implementations of IPsec have been slower than
line card speeds. It has only been in the past 7 to 9 years that this is
frequently not been the case; and it is still the case for most home
gateways, for instance.
--
Michael Richardson mcr
}
As such, I don't see how this work can become standard for along time.
Maybe the bis-bis of it.
I am, however, all for accomodating the need for protocol numbers to make this
work.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpmCKhyQ97YB.pgp
mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
pgpDBYgvW1tkp.pgp
Description: PGP signature
___
IPsec mailing list
think that we have the right people here to actually
get the work done in a way that would result in a deployed standard.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpfhCcaHAa6Q.pgp
Description: PGP signature
drive the
botnet towards this.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails
little budget for multi-processor botnet
communication. I suspect that this second part is impossible and/or easily
spoofed, as we don't know the actual RTT between client and gateway.
(Or rather, any RTT estimation could be spoofed by a botnet to give itself
more time)
--
Michael Richardson mcr+i
, however, that the simplest machines to DDoS will be the smallest
gateways.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby
process; I think we need to think about the
problem deeper. It would be nice if it could be made to work; but I suspect
that may be equivalent to the CAPTCHA problem.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpDnn8Gs1O51.pgp
Description: PGP
algorithm according to the group’s preference and add
a fast path for repeat visitors if we think that’s a good idea.
+1
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpUcaL_6dADj.pgp
Description: PGP signature
data on how
often gateways are being DDoSed.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpM1Y2GN5Yo_.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman
over NULL AUTH.
Still, that doesn't convey enough intent; AUTH_DIDNTWANTTO, or something
like that might say it better, but that's a mouthful, so I can live with
AUTH_NONE if we can't do better.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting
acceptable TSx in the PAD?
I think that the opportunistic encryption use case given can not make any
sense without reference to the PAD.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpNJfEqtZwt_.pgp
Description: PGP signature
, and such an
argument is sure to come.
Doing that on list would be possibly be more useful than waiting for
the meeting. Or not.
Perhaps worth circulating the abandon email more widely around the IETF.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael
can not install any device drivers or do anything as root or
administrator, can you install your VPN software?
Now, if I give you just enough root so that you can have a PF_KEY socket, can
you make something work?
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
) and real world experience
(dmvpn), I would favor dmvpn, because the handling and operating sounds
less
complex. (eg. lower amount of steps in tunnel initiation, single logical
interface for tunnel termination etc.)
Do you care about mobile (handheld) devices?
--
Michael Richardson
and if so can you give the authors some
guidance on what you think would be most useful? E.g., have each
proposal document how RFC7018's three use cases meet the 16+ RFC7108
requirements, or something else?
Yes, please revise their ID, add a compliance section or some such.
--
Michael
that has a similar solution?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails
Frederic Detienne (fdetienn) fdeti...@cisco.com wrote:
On 08 Dec 2013, at 12:08, Michael Richardson mcr+i...@sandelman.ca
wrote:
Frederic Detienne (fdetienn) fdeti...@cisco.com wrote:
On 06 Dec 2013, at 19:41, Michael Richardson mcr+i...@sandelman.ca
wrote
solution.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
pgpBLSt4jIhy3.pgp
Description: PGP
than being well, whatever you like
5) it permits port-specific policies to be controlled by HQ.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http
.
But could not find a suitable message type to convey dscp information.
Can you suggest which notification message should be used here ?
Correct.
you'd have to write an ID on a new Notify type.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgp8WS8Kt3_87.pgp
Description
, that part is
done in the routing algorithm.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpjpNRnmyo6i.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
pgp76Mwuy2TMo.pgp
Description: PGP signature
___
IPsec mailing list
IPsec
upon the traffic goes into it
(but, the SPD selectors may quite specificly pick the traffic).
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpMgR0C5d7B3.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
Tero Kivinen kivi...@iki.fi wrote:
Michael Richardson writes:
For a given IPsec SA, they want to overwrite/force/set the DSCP to a
particular value. It will not depend upon the traffic goes into it
(but, the SPD selectors may quite specificly pick the traffic).
If I
at the client/device what DS to
use on that network.
My suggestion is, since this is not something is subject to negotiation, that
simply defining a new notification value.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software
let me know that which AVP can be used?
Your help will be appreciated.
--
Does this thread help you:
http://www.ietf.org/mail-archive/web/ipsec/current/msg08740.html
Do you have the same problem as Paul?
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
,
hence the removal of the +.
Within the IPsec community, I agree that this is the case, thank you for the
explanation.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m
Richardson
-on the road-
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpnCIB3fWIoJ.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
/trojan/netnanny while RTP takes the shortcut.
(%)- the plumbing might need a way to sample 5-tuple flows to see if there
is traffic that should be shortcut. However, various schemes to put more
specific SPD entries in that cause key requests might accomplish this witho=
ut=20
new kernel code.
Michael
RFC). A draft already exists, thanks Tero [1]. If we do
not hear significant objections, we would like to adopt the document as
a WG document by Monday, Oct. 21.
+1.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpItZpptoFpN.pgp
Description: PGP signature
PRIMUS SUPPORT AGENT -
Hello Michael,
We have got the routing checked and found that we will not be able to
complete this call to conference bridge at +1 712-775-7400 due to that NPA
NXX being locked. This is likely due to high toll costs.
--
Michael Richardson mcr+i
)
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpA0K1Xmn2Zm.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Michael Richardson mcr+i...@sandelman.ca wrote:
The call-in details are:
Tele: +1 712-775-7400
Code: 809604#
mcr Two LD suppliers (entirely different phones) tell me that I can not
reach
mcr this number from my line.
I wonder if this exchange has an inflated LD rate
and while conceptually I found
it okay, I think that the protocol should be inside IKE.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgprjsXLRvFmf.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https
is a UDP based protocol, and if you remove the IPsec requirement, it's
just another deamon.
It is the *HUB* and the *SPOKES* where I think one wants to remove as many
moving parts as possible, and in particular, remove any additional
firewall/policy complexity.
--
Michael Richardson mcr+i
.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software
was doing the NAT before sending them
to the Internet)
good.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails
to CPE_C. Where are the tunnel outer information configured?
It seems to me at least some traffic selectors are needed.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpGiFd5KGg45.pgp
Description: PGP signature
___
IPsec
the suggestion of having the shortcut
be learned incrementally.
Re: the situation in A.3. If officeGW realizes that peer1 and peer2 are in
fact on the same subnet, etc. is there any way for it to tell them to create
a bypass between them?
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
Please note that fragmentation below UDP is unpopular among IPv6.
http://www.ietf.org/proceedings/87/slides/slides-87-6man-2.pdf
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpFULMTrmYtm.pgp
Description: PGP signature
validate n and thirdly validate e
and n are consistent with each other. In order to validate the public
exponent e, use of made of the fact that the exponent 2=e=2(k
I can not speculate as to whether there is prior art, but it seems to
match what we have been discussing.
--
Michael
likely needs be solved in a standard way.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails
want to have another
Paul (albeit shorter) WG Last Call for this new version of the
Paul draft. Please send comments to the WG by Monday, April
The additional material seems clear enough to me.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael
appropriate if conformance to [NIST-800-56A]
is not required.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails
well
formatted, but I don't at this point know what they mean.
sfluhrer Actually, we're talking about ECDH here, and not ECDSA.
my typo at 11:30pm.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
.
Is the the point here is that this is safe if we do these tests.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby
.)
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpwdZAmTFah7.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
seemed well
formatted, but I don't at this point know what they mean.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgp3_DpJpKwlo.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org
=3D
I don't think that this addreses any work item for IPsecME, but I
thought that maybe it might help someone to know about this.
--
Michael Richardson
-on the road-
pgpL90Zjnd8Zz.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
like a good point to me.
DM AES-CTR is the one algorithm in that category in the draft so
DM far.
I agree with this.
--
Michael Richardson
-on the road-
pgp6uDXc4K65j.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
. Send your
TK comments about this too.
if it can fit into the charter, and/or our AD will let us, then yes.
--
Michael Richardson
-on the road-
pgp4Y4prhnPQz.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org
round trip and
TK 2 packets.
Yes. I think that the congestion window argument is probably not
relevant. I don't think the congestion window will open much even if the
first round trip goes through.
--
Michael Richardson
-on the road-
pgpHB8DniUx6n.pgp
Description: PGP signature
is that the initial
congestion window wouldn't be big enough to quickly send out the large
IKE_AUTH payload. Having at least one RTT for the initial IKE_INIT
exchange would allow TCP to double the window, and get an estimate for
RTT.
--
Michael Richardson
-on the road-
pgp4BCeUM0os4.pgp
think
it should be added in clarifications.
Regards,
Kalyani
--
Michael Richardson
-on the road-
pgpMJkgNrKFsU.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
with TLS is that the client has a concept of the
Paul terminal name it connected to, and has its own src-dst transport,
Paul whereas for IPsec we only have one src-dst for the entire host.
Agreed.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgpMSZmewYg8s.pgp
missed?
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
pgp02LC96anVU.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video http://www.youtube.com/watch
between policies which
is the ordering mechanism for policies as specified in 4301.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http
do
Yoav drop fragments. Getting this behavior at the ISP is novel.
And ESP over TCP on port 4500?
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca
).
good enough.
--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
IETF ROLL WG co-chair.http://datatracker.ietf.org/wg/roll/charter/
pgpAXAtVzjpcL.pgp
Description: PGP signature
___
IPsec mailing list
IPsec@ietf.org
https
201 - 300 of 346 matches
Mail list logo