Hi alll,
before the meeting I'd like to express some thoughts about the topic.
First, I think this is a very important problem. Untill we implemented
IKE fragmentation, many of our "road warrior" customers complained that
they couldn't use IPsec from public places, like hotels, restaraunts etc.
Such places often use cheap SOHO NAT boxes, that don't
pass IP fragments through.
Second, I (obviously) support draft-smyslov-ipsecme-ikev2-fragmentation
as solution for IKEv2, for the following reasons:
1. comparing with the non-standard IKEv1 mechanism it is more robust
to DoS attacks (for the modest price), provides capability for PMTU
discovery,
well suited for IKEv2 and is IPR free. It is implemented and tested in
fields.
2. IKE-over-TCP is an interesting solution, but, I think, it became too
cumbersome
as more details were considered. As usual, devil in details.
Regards,
Valery Smyslov.
The ipsecme working group is chartered to come up with a solution for
transporting long IKEv2 messages over networks that do not perform IP
fragmentation correctly, and as a result drop overly long messages,
usually IKE_AUTH messages.
We would like to invite the group to a Virtual Interim Meeting (a.k.a.
conference call), to discuss this problem.
Potential outcomes of the meeting include:
- The group decides that this is not an important problem.
- This is an important problem and we have 1-2 people committed to author
a draft along the lines of the non-standard IKEv1 mechanism.
- This is an important problem and the group is happy to adopt
draft-smyslov-ipsecme-ikev2-fragmentation (which solves the same problem
in a somewhat different fashion).
- The group still prefers IKE-over-TCP and there are committed authors to
continue work on that draft.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec