> On Sep 16, 2015, at 5:01 AM, Tero Kivinen <kivi...@iki.fi> wrote: > > Tommy Pauly writes: >> I wanted to get a sense of WG interest in working on a standard for running >> IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that >> currently block UDP traffic. > > Before we made the UDP framentation document, our original plan was to > run IKEv2 over TCP, just because that would solve this problem. > > During this process we then found out that WG wanted to standardize > UDP fragmentation instead of IKEv2 over TCP. > > Is there really happend something that changes that? > > The old informal poll can be found from > > http://marc.info/?t=136326093500003&r=1&w=1 > > So how does your draft relate to the earlier ike over tcp draft? > > http://datatracker.ietf.org/doc/draft-ietf-ipsecme-ike-tcp/
Hi, Tero At the time that we (at my suggestion) dropped the work on IKE over TCP it was because of a conclusion we had reached: In all the cases where IKE over TCP solves your connectivity issues but IKE fragmentation doesn’t, the IPsec would fail. At the time, the WG was not in favor of running the IPsec over that TCP connection, so there seemed to be little point. This draft is proposing both IKE and ESP over the TCP connection, so the protocol will work in situations where UDP (even with fragmentation at the IKE rather than IP layer) fails. We’ve had something like this working with IKEv1 for over 10 years. Many vendors have “SSL VPN” solutions that have pretty much the same performance, scalability, and connectivity characteristics. There’s ample evidence that this kind of solution works. And although the need is slowly diminishing (more and more public networks allow IKE and IPsec to work), there are still many places where we still need to tunnel everything over TCP. It it hasn’t been clear, I am in favor of adopting this draft. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec