Hi Samy,
Thanks for the new draft. It addresses most of my comments, but one
question remains.
I still don't understand why we require that each connection should
start with an IKE message. The explanation given is "to allow the peer
to know with which IKE session the traffic is
Hi Tommy,
Thanks for clarifying this point. But I still think we are making a
protocol change for what can be solved easily at the implementation
level. Implementations will need to tag each IKE SA with the currently
valid TCP connection on which responses can be sent. And ESP SAs likely
Hi Yaron,
The original version of the draft did not require that the new TCP connection
begin with an IKE message, but it was added in response to feedback we received
at our meeting in Yokohama.
The concern was that the new TCP connection would almost certainly have
different ports from the