Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Tommy Pauly
> On Apr 27, 2017, at 7:32 AM, Mirja Kühlewind wrote: > > See below > > On 27.04.2017 16:27, Eric Rescorla wrote: >> >>"This document leaves the selection of TCP ports up to >> implementations. It is suggested to use TCP port 4500, which >> is

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Tommy Pauly
> On Apr 27, 2017, at 6:46 AM, Mirja Kühlewind wrote: > > One more side comment on the magic number: actually the magic number makes it > easy for network operator to identify IKE/IPSec traffic on any port and block > all packets that below to a flow that started with

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
See below On 27.04.2017 16:27, Eric Rescorla wrote: "This document leaves the selection of TCP ports up to implementations. It is suggested to use TCP port 4500, which is allocated for IPsec NAT Traversal." Which sounds to me like an

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
See below. On 27.04.2017 16:10, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind > wrote: Hi Ekr, hi all, (not sure anymore which email best to reply to but I'm using this one now to partly also reply to

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Thu, Apr 27, 2017 at 7:21 AM, Mirja Kühlewind wrote: > See below. > > On 27.04.2017 16:10, Eric Rescorla wrote: > >> >> >> On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind > > wrote: >> >> Hi Ekr, hi all, >> >>

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Thu, Apr 27, 2017 at 6:42 AM, Mirja Kühlewind wrote: > Hi Ekr, hi all, > > (not sure anymore which email best to reply to but I'm using this one now > to partly also reply to others). > > See below. > > On 27.04.2017 14:51, Eric Rescorla wrote: > >> >> >> On Thu, Apr 27,

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
Yes, just saying... On 27.04.2017 15:50, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 6:46 AM, Mirja Kühlewind > wrote: One more side comment on the magic number: actually the magic number makes it easy for network operator to identify

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
One more side comment on the magic number: actually the magic number makes it easy for network operator to identify IKE/IPSec traffic on any port and block all packets that below to a flow that started with this pattern in the first payload packet. So if you really think you need a magic

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Thu, Apr 27, 2017 at 6:46 AM, Mirja Kühlewind wrote: > One more side comment on the magic number: actually the magic number makes > it easy for network operator to identify IKE/IPSec traffic on any port and > block all packets that below to a flow that started with this

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
Hi Ekr, hi all, (not sure anymore which email best to reply to but I'm using this one now to partly also reply to others). See below. On 27.04.2017 14:51, Eric Rescorla wrote: On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind > wrote: I

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Thu, Apr 27, 2017 at 6:00 AM, Eric Rescorla wrote: > > > On Wed, Apr 26, 2017 at 2:29 PM, Tommy Pauly wrote: > >> >> On Apr 26, 2017, at 12:51 PM, Eric Rescorla wrote: >> >> AFAICT there are two separate issues: >> >> - The use of 4500, which,

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Wed, Apr 26, 2017 at 2:29 PM, Tommy Pauly wrote: > > On Apr 26, 2017, at 12:51 PM, Eric Rescorla wrote: > > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > -

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Eric Rescorla
On Thu, Apr 27, 2017 at 1:32 AM, Mirja Kühlewind wrote: > > I do see the problem you have and I understand why you selected the > solution you have but that does contradict quite a bit the idea of the port > registry and I don't think it's a safe and future prove solution.

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Tero Kivinen
Eric Rescorla writes: > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > - The use of 443, which seems more complicated Yes. > WRT 443, I would assert the following facts: > > - It's not

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Spencer Dawkins at IETF
Not my discuss, but since I'm also supposed to worry about ports :-) On Thu, Apr 27, 2017 at 3:32 AM, Mirja Kühlewind wrote: > Hi Tommy, > > please see below, only on the first point for now. > > On 26.04.2017 05:28, Tommy Pauly wrote: > >> >> >> On Apr 25, 2017, at 5:48

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-27 Thread Mirja Kühlewind
Hi Tommy, please see below, only on the first point for now. On 26.04.2017 05:28, Tommy Pauly wrote: On Apr 25, 2017, at 5:48 AM, Mirja Kühlewind wrote: Mirja Kühlewind has entered the following ballot position for draft-ietf-ipsecme-tcp-encaps-09: Discuss When

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-26 Thread Tommy Pauly
> On Apr 26, 2017, at 12:51 PM, Eric Rescorla wrote: > > AFAICT there are two separate issues: > > - The use of 4500, which, as Tero says, we can just update the registry to > point to this document for. > - The use of 443, which seems more complicated > > WRT 443, I would

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-26 Thread Eric Rescorla
AFAICT there are two separate issues: - The use of 4500, which, as Tero says, we can just update the registry to point to this document for. - The use of 443, which seems more complicated WRT 443, I would assert the following facts: - It's not awesome that people use 443 (though understandable

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-26 Thread Tero Kivinen
Tommy Pauly writes: > > -- > > DISCUSS: > > -- > > > > This draft suggests that ports that are assigned to other services can > > simply be used. This is not

Re: [IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-25 Thread Tommy Pauly
> On Apr 25, 2017, at 5:48 AM, Mirja Kühlewind wrote: > > Mirja Kühlewind has entered the following ballot position for > draft-ietf-ipsecme-tcp-encaps-09: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the

[IPsec] Mirja Kühlewind's Discuss on draft-ietf-ipsecme-tcp-encaps-09: (with DISCUSS)

2017-04-25 Thread Mirja Kühlewind
Mirja Kühlewind has entered the following ballot position for draft-ietf-ipsecme-tcp-encaps-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to