On Jun 7, 2012, at 9:43 AM, Paul Wouters wrote: > On Thu, 7 Jun 2012, Paul Hoffman wrote: > >>> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is >>> already allocated to "ISAKMP". We have had IKE running over TCP for several >>> years for remote access clients. This was done because remote access >>> clients connect from behind some very dodgy NAT devices, and some of those >>> do drop fragments. Getting this behavior at the ISP is novel. >> >> * Use IKE over TCP only after IKE over UDP fails during transmission of a >> packet >512 bytes. That would be interoperable with current deployments >> (although they would not see the second attempt, of course), it costs >> little, and is trivial to implement. > > Is that compatible with some vendor's tcp port 10000 implementation?
Why should I care about that completely non-standard use? Seriously. > Also, if we are doing this, I'd prefer to be able to signal which tcp > port to use, to make it more flexible to bypass port 500 blocks (which > is part of the tcp 10000 implementation I believe) That seems fine to me. However, assuming that a firewall that blocks TCP/500 will not block TCP/somerandomnewnumber is not wise. --Paul Hoffman _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec