On Jun 8, 2012, at 1:01 AM, Paul Hoffman wrote: > On Jun 7, 2012, at 2:53 PM, Yoav Nir wrote: > >> >> On Jun 7, 2012, at 7:15 PM, Paul Hoffman wrote: >> >>>> * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is >>>> already allocated to "ISAKMP". We have had IKE running over TCP for >>>> several years for remote access clients. This was done because remote >>>> access clients connect from behind some very dodgy NAT devices, and some >>>> of those do drop fragments. Getting this behavior at the ISP is novel. >>> >>> * Use IKE over TCP only after IKE over UDP fails during transmission of a >>> packet >512 bytes. That would be interoperable with current deployments >>> (although they would not see the second attempt, of course), it costs >>> little, and is trivial to implement. >> >> This is possible, but since UDP is not reliable, you'd have to retransmit >> several times before giving up on UDP. Even if we shorten the "at least a >> dozen times over a period of at least several minutes", it's still long >> enough for users to feel - get the "connection with Exchange lost" message >> in Outlook, for example. > > Good point. > >> You could begin both UDP (first IKE message) and TCP's 3-way handshake at >> the same time. If the 3-way handshake completed in time, the larger packets >> would go over that connection. If not, they would go over TCP. > > Yuck. But possibly the right answer. > >> But all this is implementation-specific details. I'm more interested in >> hearing whether others are seeing this (I would guess yes, otherwise Cisco >> would not have developed the IKE fragments), and on whether there is >> interest in the group in an IKE-over-TCP draft. > > > Please consider "IKE-with-TCP-and-UDP" before "IKE-over-TCP".
I think we can accommodate different implementations by requiring: - that initiator MAY switch back and forth between TCP and UDP - that responder MUST respond in the same transport where the request arrived - that responder must not depend on all requests for a particular flow coming through the same transport. For example, it's perfectly acceptable for the first request of Main Mode to come over UDP, while the next two come over TCP. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
