On Thu, Jun 7, 2012 at 12:40 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On Jun 7, 2012, at 10:26 AM, Nico Williams wrote: >> Use port 80. >> >> (I'm being half facetious, half sarcastic, and half serious with this.) > > Being non-all-of-the-above: that won't work. Many firewalls that are blocking > UDP fragments do deep packet inspection on port 80 and will throw away > traffic that doesn't look like HTTP. (Don't get me started on "look like"...)
To be closer to 100% serious I'd have to advocate an HTTP mapping of IKE and/or use of port 443. I'm not sure that I want to go there, but really, if you want to get past deep inspection nowadays then your best bet seems to be port 443. Which, of course, would not be enough. You'd find that ESP (encapsulated in UDP or not) also gets filtered, so you'd have to start sending ESP over HTTPS. And that's all kinds of not fun. At some point though one has to give up and declare the ISP useless. If you're a dissident in Iran, well, you're not using IPsec anyways, and Tor and all things port 443 are really your only friends, and if in the end the great firewalls get good enough, well, what can we do as far as *standards*? Not much. But I don't think Yoav was talking about this case, just a lousy ISP case, and for that I suspect deep packet inspection is not really the problem. For Yoav I suspect that IKE over TCP + UDP encapsulation of ESP is the way to go; worst case scenario: ESP over TCP. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
