Re: [IPsec] Ben Campbell's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS and COMMENT)

> On Apr 27, 2017, at 7:09 AM, Tero Kivinen wrote: > Substantive Comments: -3, first paragraph: Are people confident there will never, ever be a need to demux protocols other than IKE and ESP? If not, this approach may paint people in a corner in

Re: [IPsec] Can IPSec (RFC 5996) support tunnels with end point being (virtual) CPEs which has a set of workload attached (say Virtual Machines) all having virtual IP addresses?

Hi Paul: Thank you for your comments. Please, see mine inline. >>> [Rafa] I guess, it will depend on the scenario. I remember an e-mail to >>> I2NSF (https://www.ietf.org/mail-archive/web/i2nsf/current/msg0.html) >>> mentioning that they were doing sort of case 2 and they would like to

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

> On Apr 27, 2017, at 7:32 AM, Mirja Kühlewind wrote: > > See below > > On 27.04.2017 16:27, Eric Rescorla wrote: >> >>"This document leaves the selection of TCP ports up to >> implementations. It is suggested to use TCP port 4500, which >> is

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

> On Apr 27, 2017, at 6:46 AM, Mirja Kühlewind wrote: > > One more side comment on the magic number: actually the magic number makes it > easy for network operator to identify IKE/IPSec traffic on any port and block > all packets that below to a flow that started with

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

See below On 27.04.2017 16:27, Eric Rescorla wrote: "This document leaves the selection of TCP ports up to implementations. It is suggested to use TCP port 4500, which is allocated for IPsec NAT Traversal." Which sounds to me like an

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

See below. On 27.04.2017 16:10, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind > wrote: Hi Ekr, hi all, (not sure anymore which email best to reply to but I'm using this one now to partly also reply to

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Thu, Apr 27, 2017 at 7:21 AM, Mirja Kühlewind wrote: > See below. > > On 27.04.2017 16:10, Eric Rescorla wrote: > >> >> >> On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind > > wrote: >> >> Hi Ekr, hi all, >> >>

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Mirja Kühlewind writes: > > I agree that this kind of port squatting is regrettable, but I also don't > > think it really > > helps to not publish RFCs that document widely used protocols because we > > are sad they port-squatted. > > > > I proposed a way to deal with this in an earlier e-mail.

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind wrote: > Hi Ekr, hi all, > > (not sure anymore which email best to reply to but I'm using this one now > to partly also reply to others). > > See below. > > On 27.04.2017 14:51, Eric Rescorla wrote: > >> >> >> On Thu, Apr 27,

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Yes, just saying... On 27.04.2017 15:50, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 6:46 AM, Mirja Kühlewind > wrote: One more side comment on the magic number: actually the magic number makes it easy for network operator to identify

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Tero, Top-posting, because I'm only saying "thank you, that's very helpful". Spencer On Thu, Apr 27, 2017 at 8:50 AM, Tero Kivinen wrote: > Spencer Dawkins at IETF writes: > > The reason optional ports in URIs work, is that someone handed you a URI > with > > that port number

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

One more side comment on the magic number: actually the magic number makes it easy for network operator to identify IKE/IPSec traffic on any port and block all packets that below to a flow that started with this pattern in the first payload packet. So if you really think you need a magic

Re: [IPsec] Mirja Kuehlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Spencer Dawkins at IETF writes: > The reason optional ports in URIs work, is that someone handed you a URI with > that port number who has some reason to believe that the port number is OK to > use with the host included in the URI. > > Is that a reasonable assumption about the way IPsec and IKE

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Thu, Apr 27, 2017 at 6:46 AM, Mirja Kühlewind wrote: > One more side comment on the magic number: actually the magic number makes > it easy for network operator to identify IKE/IPSec traffic on any port and > block all packets that below to a flow that started with this

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Hi Ekr, hi all, (not sure anymore which email best to reply to but I'm using this one now to partly also reply to others). See below. On 27.04.2017 14:51, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind > wrote: I

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Thu, Apr 27, 2017 at 6:00 AM, Eric Rescorla wrote: > > > On Wed, Apr 26, 2017 at 2:29 PM, Tommy Pauly wrote: > >> >> On Apr 26, 2017, at 12:51 PM, Eric Rescorla wrote: >> >> AFAICT there are two separate issues: >> >> - The use of 4500, which,

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Wed, Apr 26, 2017 at 2:29 PM, Tommy Pauly wrote: > > On Apr 26, 2017, at 12:51 PM, Eric Rescorla wrote: > > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > -

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind wrote: > > I do see the problem you have and I understand why you selected the > solution you have but that does contradict quite a bit the idea of the port > registry and I don't think it's a safe and future prove solution.

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Eric Rescorla writes: > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > - The use of 443, which seems more complicated Yes. > WRT 443, I would assert the following facts: > > - It's not

[IPsec] Benoit Claise's No Objection on draft-ietf-ipsecme-tcp-encaps-09: (with COMMENT)

Benoit Claise has entered the following ballot position for draft-ietf-ipsecme-tcp-encaps-09: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Not my discuss, but since I'm also supposed to worry about ports :-) On Thu, Apr 27, 2017 at 3:32 AM, Mirja Kühlewind wrote: > Hi Tommy, > > please see below, only on the first point for now. > > On 26.04.2017 05:28, Tommy Pauly wrote: > >> >> >> On Apr 25, 2017, at 5:48

Re: [IPsec] Ben Campbell's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS and COMMENT)

Ben Campbell writes: > > > On Apr 26, 2017, at 6:06 AM, Tero Kivinen wrote: > > > > Ben Campbell writes: > >> -- > >> COMMENT: > >> -- > >> >

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

Hi Tommy, please see below, only on the first point for now. On 26.04.2017 05:28, Tommy Pauly wrote: On Apr 25, 2017, at 5:48 AM, Mirja Kühlewind wrote: Mirja Kühlewind has entered the following ballot position for draft-ietf-ipsecme-tcp-encaps-09: Discuss When