>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes: Yoav> Trying to think up ways to deal with this, I can think of some:
Yoav> * Get all ISPs to stop dropping fragments. This would be Yoav> great, but as the saying goes, you are so not in charge. 1) better diagnostics would help the end users point the finger properly. I wish the POSIX/BSD APIs would give the application an error when a fragment assembly times out.. Yoav> * Build a fragmentation layer within IKE, so IKE messages are Yoav> broken into several packets that get reassembled at the Yoav> destination. This is the path taken by one of our competitors Yoav> [1]. This means that IKE has segmentation in addition to other Yoav> TCP-like features such as retransmission. I proposed this for IKEv2 awhile ago. I twould be worthwhile for people who like certificates. Yoav> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP Yoav> port 500 is already allocated to "ISAKMP". We have had IKE Yoav> running over TCP for several years for remote access Yoav> clients. This was done because remote access clients connect Yoav> from behind some very dodgy NAT devices, and some of those do Yoav> drop fragments. Getting this behavior at the ISP is novel. And ESP over TCP on port 4500? -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec