>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes:
Yoav> Trying to think up ways to deal with this, I can think of some:
Yoav> * Get all ISPs to stop dropping fragments. This would be
Yoav> great, but as the saying goes, you are so not in charge.
1) better diagnostics would help the end users point the finger
properly. I wish the POSIX/BSD APIs would give the application
an error when a fragment assembly times out..
Yoav> * Build a fragmentation layer within IKE, so IKE messages are
Yoav> broken into several packets that get reassembled at the
Yoav> destination. This is the path taken by one of our competitors
Yoav> [1]. This means that IKE has segmentation in addition to other
Yoav> TCP-like features such as retransmission.
I proposed this for IKEv2 awhile ago. I twould be worthwhile for people
who like certificates.
Yoav> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP
Yoav> port 500 is already allocated to "ISAKMP". We have had IKE
Yoav> running over TCP for several years for remote access
Yoav> clients. This was done because remote access clients connect
Yoav> from behind some very dodgy NAT devices, and some of those do
Yoav> drop fragments. Getting this behavior at the ISP is novel.
And ESP over TCP on port 4500?
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
