[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [BEHAVE] Re: CPE equipments and stateful filters
> On Mon, Jul 30, 2007 at 05:28:02PM -0700, Dan Wing wrote:
> > The only IPsec client implementation I'm aware of is Cisco's, and
> > I know our implementation does not provide automatic detection or
> > fallback from IPsec-over-IP to IPsec-over-UDP; rather, the user has
> > to select this themselves or be artificially limited to always use
> > UDP. IPsec-over-UDP is, of course, less bandwidth efficient than
> > IPsec-over-IP.
>
> This is again assuming "the IPSEC session is initiated outbound-only,
> and the IPSEC server (gateway, whatever) is in a corporate
> data center".
>
> In an end-to-end world, it may be desirable to have one residential
> user setup IPSEC to another residential user. Both behind
> such stateful firewalls that neither permit unsolicited
> inbound UDP.
In such a case, they need to communicate each others IP addresses
(and perhaps UDP ports) using a rendezvous protocol (such as SIP,
see draft-saito-mmusic-sdp-ike-01.txt) in order to allow one (or both)
to allow inbound UDP (or 'raw' IPsec), or the server would need to
tell its firewall to permit unsolicited incoming traffic.
-d