[e2e] Receiving RST on a MD5 TCP connection.
Joe Touch
touch at ISI.EDU
Mon Jul 4 08:39:52 PDT 2005
RJ Atkinson wrote:
>
> On Jul 1, 2005, at 13:15, Joe Touch wrote:
>
>> RJ Atkinson wrote:
>>
>>> Along that line, it should be quite practical for someone to
>>> write a "TCP MD5 Domain of Interpretation" specification to
>>> permit the existing ISAKMP/IKE protocol to be used for this
>>> purpose.
>>>
>>
>> Agreed, however it's even easier to configure IKE to setup a transport
>> association between BGP peers (which, as below, I presume you are
>> referring to).
>
> I am unclear what you mean by "setup a transport association".
Use IKE to setup a transport mode security association on TCP on the
port used for BGP.
> To be clear, I was referring to the prospective use of IKE to provide
> dynamic key management for the existing TCP MD5 authentication mechanism.
Which would be useful as well; I'd like to have IKE configure IPIP
tunnels (not just IPsec), regular firewalls (not just IPsec SAs), and
other keys as well.
> As near as I can tell, the only thing missing is a "Domain of
> Interpretation" specification for how IKE is applied to TCP MD5.
> IKE is nicely modular in this way, so IKE can be extended in a
> straight-forward manner to things well beyond IPsec (which is the
> main reason I have felt all along that IKE should have been done
> in a different WG than the IPsec WG).
>
> Ran
Agreed.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050704/09d5834b/signature.bin
More information about the end2end-interest
mailing list