On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote: >> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is >> already allocated to "ISAKMP". We have had IKE running over TCP for several >> years for remote access clients. This was done because remote access clients >> connect from behind some very dodgy NAT devices, and some of those do drop >> fragments. Getting this behavior at the ISP is novel. > > * Use IKE over TCP only after IKE over UDP fails during transmission of a > packet >512 bytes. That would be interoperable with current deployments > (although they would not see the second attempt, of course), it costs little, > and is trivial to implement.
This is possible, but since UDP is not reliable, you'd have to retransmit several times before giving up on UDP. Even if we shorten the "at least a dozen times over a period of at least several minutes", it's still long enough for users to feel - get the "connection with Exchange lost" message in Outlook, for example. You could begin both UDP (first IKE message) and TCP's 3-way handshake at the same time. If the 3-way handshake completed in time, the larger packets would go over that connection. If not, they would go over TCP. But all this is implementation-specific details. I'm more interested in hearing whether others are seeing this (I would guess yes, otherwise Cisco would not have developed the IKE fragments), and on whether there is interest in the group in an IKE-over-TCP draft. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec