RE: [BEHAVE] Re: CPE equipments and stateful filters

["Dan Wing" <dwing@cisco.com>]

> On Mon, Jul 30, 2007 at 05:28:02PM -0700, Dan Wing wrote:
> > The only IPsec client implementation I'm aware of is Cisco's, and
> > I know our implementation does not provide automatic detection or
> > fallback from IPsec-over-IP to IPsec-over-UDP; rather, the user has
> > to select this themselves or be artificially limited to always use
> > UDP.  IPsec-over-UDP is, of course, less bandwidth efficient than
> > IPsec-over-IP.
> 
> This is again assuming "the IPSEC session is initiated outbound-only,
> and the IPSEC server (gateway, whatever) is in a corporate 
> data center".
> 
> In an end-to-end world, it may be desirable to have one residential
> user setup IPSEC to another residential user.  Both behind 
> such stateful firewalls that neither permit unsolicited 
> inbound UDP.

In such a case, they need to communicate each others IP addresses
(and perhaps UDP ports) using a rendezvous protocol (such as SIP,
see draft-saito-mmusic-sdp-ike-01.txt) in order to allow one (or both)
to allow inbound UDP (or 'raw' IPsec), or the server would need to 
tell its firewall to permit unsolicited incoming traffic.

-d