On Jun 7, 2012, at 2:53 PM, Yoav Nir wrote: > > On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote: > >>> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is >>> already allocated to "ISAKMP". We have had IKE running over TCP for several >>> years for remote access clients. This was done because remote access >>> clients connect from behind some very dodgy NAT devices, and some of those >>> do drop fragments. Getting this behavior at the ISP is novel. >> >> * Use IKE over TCP only after IKE over UDP fails during transmission of a >> packet >512 bytes. That would be interoperable with current deployments >> (although they would not see the second attempt, of course), it costs >> little, and is trivial to implement. > > This is possible, but since UDP is not reliable, you'd have to retransmit > several times before giving up on UDP. Even if we shorten the "at least a > dozen times over a period of at least several minutes", it's still long > enough for users to feel - get the "connection with Exchange lost" message in > Outlook, for example.
Good point. > You could begin both UDP (first IKE message) and TCP's 3-way handshake at the > same time. If the 3-way handshake completed in time, the larger packets would > go over that connection. If not, they would go over TCP. Yuck. But possibly the right answer. > But all this is implementation-specific details. I'm more interested in > hearing whether others are seeing this (I would guess yes, otherwise Cisco > would not have developed the IKE fragments), and on whether there is interest > in the group in an IKE-over-TCP draft. Please consider "IKE-with-TCP-and-UDP" before "IKE-over-TCP". --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
