On Jun 7, 2012, at 8:20 AM, Yoav Nir wrote: > Trying to think up ways to deal with this, I can think of some: > > * Get all ISPs to stop dropping fragments. This would be great, but as the > saying goes, you are so not in charge. > > * Find ways of making the packets smaller: move to PSK, fiddle with trust > anchors so that only one cert is needed, avoid sending CRLs, hash-and-URL, > etc. These are not always successful, and often require more configuration > than we would like. > > * Build a fragmentation layer within IKE, so IKE messages are broken into > several packets that get reassembled at the destination. This is the path > taken by one of our competitors [1]. This means that IKE has segmentation in > addition to other TCP-like features such as retransmission. > > * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is > already allocated to "ISAKMP". We have had IKE running over TCP for several > years for remote access clients. This was done because remote access clients > connect from behind some very dodgy NAT devices, and some of those do drop > fragments. Getting this behavior at the ISP is novel.
* Use IKE over TCP only after IKE over UDP fails during transmission of a packet >512 bytes. That would be interoperable with current deployments (although they would not see the second attempt, of course), it costs little, and is trivial to implement. --Paul Hoffman _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec