[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving PIC forwards

To: Bernard Aboba <aboba@xxxxxxxxxxxxx>
Subject: Re: Moving PIC forwards
From: "Scott G. Kelly" <skelly@xxxxxxxxxxxx>
Date: Fri, 09 Nov 2001 07:37:26 -0800
Cc: Yaron Sheffer <yaronf@xxxxxxx>, William Dixon <wdixon@xxxxxxxxxxxxxxxxxxxxx>, Markus Stenberg <mstenber@xxxxxxx>, ietf-ipsra@xxxxxxxx
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Organization: RedCreek Communications
References: <Pine.BSF.4.21.0111090654300.59680-100000@internaut.com>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

I agree with both points below. I think UDP should be a MUST, implying
that we need a cert continuation mechanism of some sort. I also think we
should make TCP a MAY, and reserve a port for it.

Scott

Bernard Aboba wrote:
> 
> > fragmentation is obviously a serious issue. However, I'm worried that moving
> > PIC to TCP could mean the death of this protocol, at least in the VPN space.
> > Hardware VPN vendors don't trust TCP, because of the amount of state
> > involved and the associated DOS exposure. And until PIC is "re-purposed",
> > this is an important deployment segment.
> 
> OK. So what about a "cert continuation" payload? I'd note that PIC already
> supports multiple round-trips, and EAP methods can already support such
> continuations (see RFC 2716).

Follow-Ups:
- Re: Moving PIC forwards
  - From: Jari Arkko

References:
- RE: Moving PIC forwards
  - From: Bernard Aboba

Prev by Date: RE: Moving PIC forwards
Next by Date: RE: Finishing PIC
Previous by thread: RE: Moving PIC forwards
Next by thread: Re: Moving PIC forwards
Index(es):
- Date
- Thread