[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [BEHAVE] Re: CPE equipments and stateful filters



> We have different definitions of 'solicited traffic' and
> 'unsolicited traffic'.  Other than opening a listener on UDP/500
> for IKE (and telling the upstream firewall to please open a
> permission for incoming traffic), the host didn't do anything to
> solicit an incoming IKE packet.  I call that incoming traffic
> 'unsolicited', because the host (and its firewall) are unaware
> of when a client will send a packet to establish a connection.
> An HTTP server or SMTP server fall into this category, for
> example.

It makes a ton of sense to just leave the IKE port (UDP 500) open. IKE
is a fairly robust protocol, with built in protection against DOS. It is
part of the security suite, and thus the software implementations tend
to be scrutinized and well tested. At the end of the IKE exchange, the
parties have identified each other, and have made a conscious decision
to authorize the communication. Clearly, the follow on traffic may be
"unsolicited", but it will not come from random parties. Leaving port
500 open looks like good engineering!

-- Christian Huitema