Re: [IPsec] WG Interest in TCP Encapsulation

Date: Saturday, 19 September 2015 00:44 To: Valery Smyslov <sva...@gmail.com> Cc: IPsecME WG <ipsec@ietf.org>, Paul Wouters <p...@nohats.ca> Subject: Re: [IPsec] WG Interest in TCP Encapsulation You asked about how widespread this issue is. I cannot provide exact numbers her

Re: [IPsec] WG Interest in TCP Encapsulation

>>> The real question is whether the networks that don't transport ESP or >>> ESPinUDP block those packets on purpose or by accident. I don't think >>> we really have any good numbers on this. >>> If we are doing this as a "workaround" to break through the administrative >>> boundaries, than we

Re: [IPsec] WG Interest in TCP Encapsulation

Hi Valery, The draft doesn't prevent http encapsulation for the purpose of traversing web proxies for example, and this would be considered one "use-case" that would make use of TCP encapsulation. The draft do provide such flexibility. The objective of this proposal is to provide a

Re: [IPsec] WG Interest in TCP Encapsulation

Hi Valery, As Samy mentioned, this draft does allow for the traffic to looks like HTTPS traffic (using TLS over port 443), but doesn’t require it. It is about defining a standard way to add framing to IKEv2 and ESP when put over a TCP-based stream; the applications of this may vary in

Re: [IPsec] WG Interest in TCP Encapsulation

hanks Samy.  From: Tommy Pauly <tpa...@apple.com> Sent: Sep 15, 2015 8:20 PM To: Tero Kivinen Cc: IPsecME WG Subject: Re: [IPsec] WG Interest in TCP Encapsulation Hello Tero, I have read the previous draft for using TCP to avoid fragmentation problems, and I believe that the new TCP-encapsulatio

Re: [IPsec] WG Interest in TCP Encapsulation

On Wed, 16 Sep 2015, Yoav Nir wrote: This draft is proposing both IKE and ESP over the TCP connection, so the protocol will work in situations where UDP (even with fragmentation at the IKE rather than IP layer) fails. We’ve had something like this working with IKEv1 for over 10 years. Many

Re: [IPsec] WG Interest in TCP Encapsulation

Hi Paul, I encourage you to read the new draft, as I believe it addresses many of your concerns. It covers the potential new vulnerabilities (RST), as well as how to frame the datagrams in a stream along with an explanation of performance concerns. It also makes it clear that TCP should only

Re: [IPsec] WG Interest in TCP Encapsulation

> On Sep 16, 2015, at 5:01 AM, Tero Kivinen wrote: > > Tommy Pauly writes: >> I wanted to get a sense of WG interest in working on a standard for running >> IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that >> currently block UDP traffic. > > Before we

Re: [IPsec] WG Interest in TCP Encapsulation

Hello Tero, I have read the previous draft for using TCP to avoid fragmentation problems, and I believe that the new TCP-encapsulation draft is aimed at solving a different use case with a different approach. The current standard for IKEv2 fragmentation is definitely the right thing to do to

[IPsec] WG Interest in TCP Encapsulation

Tommy Pauly writes: > I wanted to get a sense of WG interest in working on a standard for running > IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that > currently block UDP traffic. Before we made the UDP framentation document, our original plan was to run IKEv2 over TCP,

[IPsec] WG Interest in TCP Encapsulation

Hello, I wanted to get a sense of WG interest in working on a standard for running IKEv2/IPSec over a TCP (or TLS/TCP) connection to traverse networks that currently block UDP traffic. Here’s the link to the draft: https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-00