Thanks for the explanation... -Ekr
On Sun, Mar 19, 2017 at 11:45 AM, Tommy Pauly <tpa...@apple.com> wrote: > Some servers may support that, but some may not. These sessions are often > used for VPN access, and we've seen cases in which a particular > user/certificate combination is only allowed to be connected > once-at-a-time. That makes switching more complicated. Also, since the > recommendation is to try sending the UDP first packet at least twice, the > amount of time required for the user to wait before the fallback would kick > in is only on the order of a few RTT. > > I think if these session were more likely to be used for user-interactive, > short-lived connections, I'd see more value in a nuanced racing algorithm. > However, we often see IKE brought up in the background and stay associated > for a very long time, making the protocol that wins the race more > important, and the time to wait to establish slightly less important. > > Thanks, > Tommy > > > On Mar 19, 2017, at 11:40 AM, Eric Rescorla <e...@rtfm.com> wrote: > > > > I haven't fully thought this through, but if yu can switch-hit between > TCP > > and UDP, > > why can't you just race the setup between TCP and UDP and then if you > start > > getting packets on UDP, cut over to that. > > > > Maybe I'm just too influenced by ICE :) > > > > -Ekr > > > > > > On Sun, Mar 19, 2017 at 11:25 AM, Tommy Pauly <tpa...@apple.com> wrote: > > > >> > >> On Mar 19, 2017, at 6:47 AM, Eric Rescorla <e...@rtfm.com> wrote: > >> > >> > >> > >> On Sat, Mar 18, 2017 at 11:29 PM, Yoav Nir <ynir.i...@gmail.com> wrote: > >> > >>> Hi, Eric. > >>> > >>> On 19 Mar 2017, at 4:04, Eric Rescorla <e...@rtfm.com> wrote: > >>> > >>> [Now with the right address] > >>> > >>> I just finished reading this document. Some comments below. > >>> > >>> > >>> - You have a uniform 16 bit length field followed by a 4 byte all-zeros > >>> sentinel value to indicate that a packet is IKE rather than ESP. > >>> Given that in S 3 graf 2 you have a SHOULD-level requirement > >>> to use typical UDP payload lengths, why not instead explicitly > >>> limit lengths to 15 bits and use the top bit to indicate IKE versus > >>> ESP. This would be slightly more efficient and seems simpler. > >>> I suppose that the counterargument is that IKE over UDP behaves > >>> differently, but in terms of implementation, that doesn't seem like > >>> much of an argument. > >>> > >>> > >>> Another counter-argument is that we sometimes need the entire > theoretical > >>> length of a UDP packet. The IKE_AUTH messages typically carry a > certificate > >>> chain and sometimes even a CRL. And there is no way to split a > certificate > >>> chain over several messages. With remote access VPN you also get a CFG > >>> payload with configuration information that can also encode an > unbounded > >>> amount of data. So I would not want to constrain the certificate chains > >>> that we are able to send any more than the IP packet length already > does > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec