Hi

I work for a vendor selling and IKE/IPsec solution.

In the last few months, we've heard a troubling complaint from some of our 
customers. They say that some ISPs have begun to drop IP fragments. While 
specific ISPs were not named, most of the issues seem to be in south-east Asia. 
One customer has speculated that this has something to do with preparing to 
deploy CGNs.

According to draft-ietf-behave-lsn-requirements, CGNs MUST comply with the NAT 
requirements for UDP as in RFC 4787, and that RFC says in section 11 that NAT 
devices MUST support fragments. So these routers are not compliant, but that 
doesn't help our customers much.

Most traffic on the Internet is either TCP or small-packet UDP. The IKE 
protocol (both versions) has the rather rare distinction of having large UDP 
packets. These are packets #5 and #6 in IKEv1 Main Mode, or the IKE_AUTH 
packets in IKEv2, especially when using certificate authentication.

For now, the customers managed to "fix" the ISP with an angry phone call. That 
got them into an exception list where fragments are not dropped. One had to 
change ISPs for that. While this can work for a while, it won't work when the 
carrier doing the dropping is not the one that the customer has a business 
relationship with, but another one downstream.


Trying to think up ways to deal with this, I can think of some:

* Get all ISPs to stop dropping fragments. This would be great, but as the 
saying goes, you are so not in charge.

* Find ways of making the packets smaller: move to PSK, fiddle with trust 
anchors so that only one cert is needed, avoid sending CRLs, hash-and-URL, etc. 
These are not always successful, and often require more configuration than we 
would like.

* Build a fragmentation layer within IKE, so IKE messages are broken into 
several packets that get reassembled at the destination. This is the path taken 
by one of our competitors [1]. This means that IKE has segmentation in addition 
to other TCP-like features such as retransmission.

* Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is already 
allocated to "ISAKMP". We have had IKE running over TCP for several years for 
remote access clients. This was done because remote access clients connect from 
behind some very dodgy NAT devices, and some of those do drop fragments. 
Getting this behavior at the ISP is novel.


Have others on this list run into this issue?  

Yoav

[1] 
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_fragment_ike_pack.html
[2] 
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to