On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote:

>> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is 
>> already allocated to "ISAKMP". We have had IKE running over TCP for several 
>> years for remote access clients. This was done because remote access clients 
>> connect from behind some very dodgy NAT devices, and some of those do drop 
>> fragments. Getting this behavior at the ISP is novel.
> 
> * Use IKE over TCP only after IKE over UDP fails during transmission of a 
> packet >512 bytes. That would be interoperable with current deployments 
> (although they would not see the second attempt, of course), it costs little, 
> and is trivial to implement.

This is possible, but since UDP is not reliable, you'd have to retransmit 
several times before giving up on UDP. Even if we shorten the "at least a dozen 
times over a period of at least several minutes", it's still long enough for 
users to feel - get the "connection with Exchange lost" message in Outlook, for 
example. 

You could begin both UDP (first IKE message) and TCP's 3-way handshake at the 
same time. If the 3-way handshake completed in time, the larger packets would 
go over that connection. If not, they would go over TCP.

But all this is implementation-specific details. I'm more interested in hearing 
whether others are seeing this (I would guess yes, otherwise Cisco would not 
have developed the IKE fragments), and on whether there is interest in the 
group in an IKE-over-TCP draft.

Yoav

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to