Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

On Sun, 19 Mar 2017, Eric Rescorla wrote: I haven't fully thought this through, but if yu can switch-hit between TCP and UDP,why can't you just race the setup between TCP and UDP and then if you start getting packets on UDP, cut over to that.  There should really be a STRONG preference for

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

Thanks for the explanation... -Ekr On Sun, Mar 19, 2017 at 11:45 AM, Tommy Pauly wrote: > Some servers may support that, but some may not. These sessions are often > used for VPN access, and we've seen cases in which a particular > user/certificate combination is only

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

Some servers may support that, but some may not. These sessions are often used for VPN access, and we've seen cases in which a particular user/certificate combination is only allowed to be connected once-at-a-time. That makes switching more complicated. Also, since the recommendation is to try

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

I haven't fully thought this through, but if yu can switch-hit between TCP and UDP, why can't you just race the setup between TCP and UDP and then if you start getting packets on UDP, cut over to that. Maybe I'm just too influenced by ICE :) -Ekr On Sun, Mar 19, 2017 at 11:25 AM, Tommy Pauly

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

> On Mar 19, 2017, at 6:47 AM, Eric Rescorla wrote: > > > > On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir > wrote: > Hi, Eric. > >> On 19 Mar 2017, at 4:04, Eric Rescorla > > wrote: >> >>

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir wrote: > Hi, Eric. > > On 19 Mar 2017, at 4:04, Eric Rescorla wrote: > > [Now with the right address] > > I just finished reading this document. Some comments below. > > > - You have a uniform 16 bit length field

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

> On 19 Mar 2017, at 13:20, Valery Smyslov wrote: > > Hi Yoav, > >> > I don't think it's a good idea. The TCP encapsulation has a lot of >> > drawbacks in terms of performance (see Section > 12), so it is considered >> > as a last resort if UDP doesn't work. In general UDP

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

Hi Yoav, > I don't think it's a good idea. The TCP encapsulation has a lot of drawbacks in terms of performance (see Section > 12), so it is considered > as a last resort if UDP doesn't work. In general UDP (or no encapsulation) is a preferred transport. If we start > trying TCP and UDP in

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

Hi Eric, I just finished reading this document. Some comments below. - You have a uniform 16 bit length field followed by a 4 byte all-zeros sentinel value to indicate that a packet is IKE rather than ESP. Given that in S 3 graf 2 you have a SHOULD-level requirement to use typical

Re: [IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

Hi, Eric. > On 19 Mar 2017, at 4:04, Eric Rescorla wrote: > > [Now with the right address] > > I just finished reading this document. Some comments below. > > > - You have a uniform 16 bit length field followed by a 4 byte all-zeros >sentinel value to indicate that a

[IPsec] Comments on draft-ietf-ipsecme-tcp-encaps

[Now with the right address] I just finished reading this document. Some comments below. - You have a uniform 16 bit length field followed by a 4 byte all-zeros sentinel value to indicate that a packet is IKE rather than ESP. Given that in S 3 graf 2 you have a SHOULD-level requirement