Antony Antony <[email protected]> wrote: > On Tue, Nov 25, 2025 at 02:42:38PM -0500, Michael Richardson wrote: >> >> Antony Antony <[email protected]> wrote: >> > During field testing of post-quantum IKEv2 over UDP, we observed a high >> > rate of retransmissions involving IKEv2 fragments. In real-world >> > deployments, the same fragment was consistently lost, causing repeated >> > all fragments retransmissions as required by RFC 7383. In some cases, the >> > peers failed to complete the exchange even after more than 50 retries, >> > indicating that the current recovery behavior is insufficient for large >> > PQC-sized messages over UDP. >> >> Which fragment? >> Was it the biggest? Smallest? >> Was there a NAT44? stateful firewall? I know that RFC7383 avoides IP >> fragmentation, but it also sure seems strange that it's the same one. >> Can this network be reproduced easily? >> Was it a queue tail drop? Did you try sending slower? >> (Not that it's a good solution, but it's a good diagnosis)
> I don't have the full details of the tests. The gist is that IKEv2 gets
stuck
> after several retries — i.e., RFC 7383-style retransmissions of all
> fragments — while other protocols recover.
I think that we need details that allow everyone to reproduce this fail.
Specifically so that when someone implements this, they can know that their
code is good enough to deal with that fail.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
