Re: [Call-home] Why not IPsec with IKEv2 + NAT-T?

Dean Willis <dean.willis@softarmor.com> Wed, 28 September 2005 17:50 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKg4D-0001Kg-TH; Wed, 28 Sep 2005 13:50:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKg4B-0001K5-TT for call-home@megatron.ietf.org; Wed, 28 Sep 2005 13:50:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25439 for <call-home@ietf.org>; Wed, 28 Sep 2005 13:50:02 -0400 (EDT)
Received: from nylon.softarmor.com ([66.135.38.164]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EKgBf-0004rx-US for call-home@ietf.org; Wed, 28 Sep 2005 13:57:49 -0400
Received: from [64.101.149.214] (deanwillis-comp.cisco.com [64.101.149.214]) (authenticated bits=0) by nylon.softarmor.com (8.13.1/8.13.1) with ESMTP id j8SHsiOM022053 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Wed, 28 Sep 2005 12:54:45 -0500
In-Reply-To: <B3EF030E-4F05-460E-A6AF-798B0CE4B5F3@nomadiclab.com>
References: <433979ED.1000000@cisco.com> <7F8A2E5A-90A9-404E-9247-DBF93FAB367A@nomadiclab.com> <900D9AC5-1AB6-4063-9AEE-C227F94BDBA9@softarmor.com> <B3EF030E-4F05-460E-A6AF-798B0CE4B5F3@nomadiclab.com>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <EB1E9D18-EC2C-472E-8B89-C458708F9114@softarmor.com>
Content-Transfer-Encoding: 7bit
From: Dean Willis <dean.willis@softarmor.com>
Subject: Re: [Call-home] Why not IPsec with IKEv2 + NAT-T?
Date: Wed, 28 Sep 2005 12:49:56 -0500
To: Pekka Nikander <pekka.nikander@nomadiclab.com>
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
Content-Transfer-Encoding: 7bit
Cc: call-home@ietf.org
X-BeenThere: call-home@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion of issues relating to &quot; call home&quot; functionality and firewall traversal" <call-home.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/call-home>
List-Post: <mailto:call-home@ietf.org>
List-Help: <mailto:call-home-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=subscribe>
Sender: call-home-bounces@ietf.org
Errors-To: call-home-bounces@ietf.org

On Sep 28, 2005, at 12:25 PM, Pekka Nikander wrote:

>
>
>> This has led to discussions about using some non-SNMP mechanism to  
>> "kick" the managed node and tell it to build up a connection to  
>> its management agent.
>>
>
> AFAICT, that is a different question and basically orthogonal on  
> whether you want to use IPsec, SSH or TLS for security.  On-demand  
> IPsec, as alluded above, also needs such "kicking".
>

That's true, and on-demand IPSEC would have less "impact" than  
permanently nailed-up IPSEC would.

--
Dean


_______________________________________________
Call-home mailing list
Call-home@ietf.org
https://www1.ietf.org/mailman/listinfo/call-home