Hi, we've being running into this issue constantly. I think it is serious problem for road warriers, who have to deal with all kinds of buggy or crippled SOHO routers installed in hotels etc. Many our customers complain that they are unable to connect to main office while being on business trip and most offen the reason is inability (or unwilling) of some intermediate router(s) to pass UDP fragments.
> Trying to think up ways to deal with this, I can think of some: > > * Get all ISPs to stop dropping fragments. This would be great, but as the > saying goes, you are so not in charge. No an option. > * Find ways of making the packets smaller: move to PSK, fiddle with trust > anchors so that only one cert is needed, avoid sending CRLs, hash-and-URL, etc. These are not always successful, and often require more configuration than we would like. Not an option either. Corporate PKI has plenty of requirements to deal with and the requirement to make certificates smaller is the least. Hash-and-URL is a nice feature, but it requires an additional infrastructure that not every customer is willing to deploy. > * Build a fragmentation layer within IKE, so IKE messages are broken into > several packets that get reassembled at the destination. This is the path taken by one of our competitors [1]. This means that IKE has segmentation in addition to other TCP-like features such as retransmission. I like this approach, but as far as I know this is done for IKEv1 only. > * Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is > already allocated to "ISAKMP". We have had IKE running over TCP for several years for remote access clients. This was done because remote access clients connect from behind some very dodgy NAT devices, and some of those do drop fragments. Getting this behavior at the ISP is novel. IKE over TCP has its drawbacks. It eliminates the ability of IKE to be stateless (with COOKIE), thus considerably increasing its vulnerability to DoS attack. Switching between UDP and TCP (especially in the middle of exchange) considerably complicates protocol that is already complex in that part (remember switching to port 4500 on the fly). > Have others on this list run into this issue? > > Yoav I'm in favor of developing standard way of fragmenting big packets in IKEv2. I beleive there might be relatively simple solutions not breaking core protocol implementation. Regards, Smyslov Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec