Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Hu, Jun (Nokia - US)
Thanks all for the clarification. > -Original Message- > From: tpa...@apple.com [mailto:tpa...@apple.com] > Sent: Monday, May 23, 2016 5:28 PM > To: Hu, Jun (Nokia - US) > Cc: Paul Wouters; IPsecME WG > Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for > adoption >

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Hu, Jun (Nokia - US)
> From: Paul Wouters [mailto:p...@nohats.ca] > Sent: Monday, May 23, 2016 4:26 PM > To: Hu, Jun (Nokia - US) > Cc: IPsecME WG > Subject: Re: [IPsec] New version of TCP Encapsulation draft, request for > adoption > > On Mon, 23 May 2016, Hu, Jun (Nokia - US) wrote: > > >> To get past middleware

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Paul Wouters
On Mon, 23 May 2016, Hu, Jun (Nokia - US) wrote: To get past middleware boxes that tend to not touch "real" TLS traffic but mangle anything else. [HJ] so there is middle box that will only allow TLS traffic (and dropping all plain tcp traffic)? that sounds pretty extreme, but even in such

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Samy Touati
Hi We use TLS to facilitate traversal of IPSEC traffic through http proxies. The client would use the HTTP Connect command to connect to the proxy. TLS is only used for this purpose and not for securing the IPSec link. Thanks. Samy. On 5/23/16, 3:55 PM, "IPsec on behalf of Hu, Jun (Nokia -

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Yoav Nir
> On 23 May 2016, at 9:39 AM, Valery Smyslov wrote: > > Hi Tommy, > > thank you for clarifications. One more point. The draft is silent about > what the responder is supposed to do with the stream prefix. > Should it check it? In this case what should it do if the prefix is >

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Valery Smyslov
Hi Paul, thank you for clarifications. One more point. The draft is silent about what the responder is supposed to do with the stream prefix. Should it check it? In this case what should it do if the prefix is different from "IKEv2"? Discard the TCP session? Or should it ignore the prefix

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Paul Wouters
On Mon, 23 May 2016, Valery Smyslov wrote: thank you for clarifications. One more point. The draft is silent about what the responder is supposed to do with the stream prefix. Should it check it? In this case what should it do if the prefix is different from "IKEv2"? Discard the TCP session? Or

Re: [IPsec] New version of TCP Encapsulation draft, request for adoption

2016-05-23 Thread Valery Smyslov
Hi Tommy, thank you for clarifications. One more point. The draft is silent about what the responder is supposed to do with the stream prefix. Should it check it? In this case what should it do if the prefix is different from "IKEv2"? Discard the TCP session? Or should it ignore the prefix