Cisco Community. Join us in congratulating October's Spotlight Award Winners! Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for. Search instead for. Did you mean:. All Community This category This board. Frequent Contributor. Regards MAhesh Solved!
Labels: Labels: IPSec. I have this problem too. All forum topics Previous Topic Next Topic. Accepted Solutions. Putting it another way, it doesn't add any benefit to have two independent functions handling error correction.
If your data stream cares about error correction, use TCP. If your data stream doesn't, or wants to manage error correction itself, use UDP. The transporting of these UDP or TCP packets should not interfere or cause conflict with what you chose for your data.
Which would not be ideal. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Ask Question. Individual packets SHOULD NOT use different markings than the rest of the connection, since packets with different priorities may be routed differently and cause unnecessary delays in the connection.
If an implementation receives such an outer packet, it MAY propagate the markings as described in the Default Tunnel Egress Behaviour [RFC] for any inner packet contained within a single outer TCP packet, or simply apply the rules as if the outer packet were Not-ECT if the inner packet spans multiple outer packets.
TCP Responders should be aware of this additional attack-surface. TCP Responders should be careful to ensure that the stream prefix "IKETCP" uniquely identifies incoming streams as ones that use the TCP encapsulation protocol, and they are not running any other protocols on the same listening port that could conflict with this. If an attacker is able to send packets on a new TCP connection that pass the validation checks of the TCP Responder, it can influence which path future packets take.
For this reason, the validation of messages on the TCP Responder must include decryption, authentication, and replay checks. This increases the protection of implementations against replay attacks. Special thanks to Eric Kinnear for his implementation work. The use of TLS should be configurable on the peers, and may be used as the default when using TCP encapsulation, or else be a fallback when basic TCP encapsulation fails.
TLS Session Resumption is recommended to improve efficiency in this case. Implementations should be aware that the use of TLS introduces another layer of overhead requiring more bytes to transmit a given IKE and IPsec packet. Tommy Pauly Pauly Apple Inc. Bradner, S. Huttunen, A.
Kent, S. Briscoe, B. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Ask Question. Asked 9 years, 1 month ago. Active 4 months ago.
Viewed 26k times. Or is the protocol using UDP but adding reliability at the application layer? Improve this question. IP is also an "unreliable" protocol.
0コメント