VPN and IPtables

Henry Spencer henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
Thu Sep 16 02:26:22 UTC 2004 

On Wed, 15 Sep 2004, Lennart Sorensen wrote:
> > Encrypted data is transferred using protocol 50 (esp), udp port 500 is only 
> > used for key negotiation (isakmp).
> 
> Hmm, that wouldn't make sense since it's the data you care less about
> loosing than the key exchanges...

Neither protocol 50 nor UDP port 500 is any more or less prone to data
getting lost, other things being equal.  Both are datagrams, with
unreliable best-effort delivery.  In both cases, reliability requires a
higher-level protocol to pay attention and deal with lost packets somehow. 

(There has been some suggestion that it might be desirable to have an
option to use TCP for key negotiation.  The issue is not reliability --
the IKE key-negotiation protocol does handle retransmission of lost
packets, if not as well as it might -- but the fact that IKE messages
sometimes get large, and UDP doesn't do really big packets well.  TCP has
its own problems in this context, though...)

> ...Using a
> different protocol than udp would mean routers don't have a clue about
> the importance of that data...

That's correct, they don't.  But then, routers which want to know about
the importance of the data tend to want to inspect packet innards... and
that is inherently impossible with IPsec.  It is fundamental to IPsec that
many "smart network tricks" (which, on closer inspection, often aren't
really good ideas) are no longer possible when the contents of packets are
completely hidden from inspection en route. 

> But then again I could be wrong about which port does which.

As former technical lead of the late FreeS/WAN project, I can assure you
I do know which does which. :-)

RFC 2406 will tell you just about everything there is to know about ESP.
It's reasonably well designed.

You don't want to learn about IKE; trust me on this. :-)

                                                          Henry Spencer
                                                       henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list