[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKE transport (was INITIAL-CONTACT issues)

>>>>> "Sankar" == Sankar Ramamoorthi <Sankar@vpnet.com> writes:

 Sankar> How about using udp for the first IKE session between 2
 Sankar> endpoints and then using a tcp-over-ipsec as the transport
 Sankar> for the rest of the IKE sessions that could happen between
 Sankar> the end-points?

Yikes.  It seems really ugly to changes horses, er., transports in
midstream.  There really is no major functional difference between
using UDP with reliability/keepalive in the application, and TCP with
some of that stuff moved into the transport.  Given that the decision
has been made to use UDP, my inclination is to say we should stick
with it.  If there is strong enough reason to switch, then let's
switch.  But I find it hard to imagine a reason strong enough to
justify switching half the time, yet weak enough to justify not
switching the rest of the time.