[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Reminder: last call for PIC in the IPSRA WG

To: Yaron Sheffer <yaronf@xxxxxxx>
Subject: RE: Reminder: last call for PIC in the IPSRA WG
From: Bernard Aboba <aboba@xxxxxxxxxxxxx>
Date: Fri, 19 Oct 2001 18:34:13 -0700 (PDT)
Cc: William Dixon <wdixon@xxxxxxxxxxxxxxxxxxxxx>, Hugo Krawczyk <hugo@xxxxxxxxxxxxxxxxx>, Markus Stenberg <mstenber@xxxxxxx>, working group ipsra <ietf-ipsra@xxxxxxxx>, Bernard Aboba <BERNARDA@xxxxxxxxxxxxxxxxxxxxx>, Anton Krantz <antonkr@xxxxxxxxxxxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

> Regarding fragmentation, I share your concern. It is an issue for PIC, just
> as it is for IKE. As an anecdote, *TCP* port 500 is reserved for ISAKMP.
> Maybe that's the way to go...
> 

The IKE fragmentation problem is in practice a *major* issue -- because
long cert chains cause IKE to frag and most routers can't properly filter
the frags. 

The reason that this hasn't gotten more visiblity is that the vast
majority of IPsec implementations use shared secrets. But of course, the
whole point of PIC is to enable cert enrollment, so we cannot avoid it. 

For my two cents, I believe that PIC should run over TCP by default.

References:
- RE: Reminder: last call for PIC in the IPSRA WG
  - From: Yaron Sheffer

Prev by Date: RE: Reminder: last call for PIC in the IPSRA WG
Next by Date: Moving PIC forwards
Previous by thread: RE: Reminder: last call for PIC in the IPSRA WG
Next by thread: Moving PIC forwards
Index(es):
- Date
- Thread