Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01.txt
"Valery Smyslov" <svanru@gmail.com> Fri, 14 December 2012 05:37 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985C121F8929 for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2012 21:37:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umo2pxNGD8Ix for <ipsec@ietfa.amsl.com>; Thu, 13 Dec 2012 21:37:16 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 750AB21F897E for <ipsec@ietf.org>; Thu, 13 Dec 2012 21:37:16 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id y2so2433202lbk.31 for <ipsec@ietf.org>; Thu, 13 Dec 2012 21:37:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:x-mimeole; bh=zQWcy+aBmFxagbj/Fg4Xk0yJRzGCGxWzXZ7xdsA+GUw=; b=hJ250cZ5SfcFUBjnFnAnunZdvkidJhrH9MYufo3lGdh6JyTG1qWyaM47TsyyUy/92f q7Nrk/VTwHJynob2O3DvJ/XNwquAcQ41Og4bEAPRn2ggPwuGrH0xomPzQcNSKg+Ywix9 3cCNjMIW4lK47EpbGYHPcHsgVlCALNFLOoawKoNegkpsimcRgTjGGcHfzxP16j2SI0YV c/XBrPI2JL1CddXHJFUxYifDq/0zhWUPccPvouAc78eWHtqb+cGE6X4lZR+MKiwFMjFQ BGvgHFAUlIJdqeghI5i6xtgxqNfjiozDZfetlO8SFRoYDDR8MclPVlBJIysxj7kM4XyC LEwQ==
Received: by 10.152.112.36 with SMTP id in4mr1514176lab.35.1355463435345; Thu, 13 Dec 2012 21:37:15 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPS id fb1sm1434342lbb.15.2012.12.13.21.37.12 (version=SSLv3 cipher=OTHER); Thu, 13 Dec 2012 21:37:14 -0800 (PST)
Message-ID: <B1F8AE12E3604526980FA756C8F2DB09@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
References: <20121203223404.5441.71025.idtracker@ietfa.amsl.com> <E7FA5DBC7DB747779E6E6D73460A6615@buildpc> <4613980CFC78314ABFD7F85CC30277210EDFD9D0@IL-EX10.ad.checkpoint.com>
Date: Fri, 14 Dec 2012 09:37:06 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 05:37:27 -0000
Hi Yoav,
> Hi Valery
>
> Thinking it over, I kind of regret adding the port field to the
> TCP_SUPPORTED notification.
> We don't have any mechanism for alternate UDP ports. Yes, UDP has cheap
> liveness checks
> to keep the mapping in the NAT so that requests can be initiated to the
> original initiator, while TCP does not.
>
> But your points are well taken. Leaving the advertised TCP port to
> configuration or auto-discovery is error
> prone and adds unnecessary complications to the protocol.
>
> I propose that:
> 1. We remove the port from the Notify
> 2. All connections will be done to port 500.
> 3. We warn against trying to use TCP to a peer behind NAT
Fully agree. And in this case please add the following to the list:
4. We remove TCP_SUPPORTED notification from Initiator's message
(as it becomes redundant for most use cases).
> This loses the ability to use port forwarding to have a reachable TCP port
> (unless that port is 500),
> but I think the simplification justifies it.
Agree.
Valery.
> Yoav
- [IPsec] I-D Action: draft-ietf-ipsecme-ike-tcp-01… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Yoav Nir
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Paul Hoffman
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ike-tc… Paul Wouters
- [IPsec] Error in RFC6290 Valery Smyslov
- Re: [IPsec] Error in RFC6290 Yoav Nir
- Re: [IPsec] Error in RFC6290 Yaron Sheffer
- Re: [IPsec] Error in RFC6290 Valery Smyslov
- Re: [IPsec] Error in RFC6290 Yoav Nir