Hi Valery.

I agree with your conclusion (that we should do an IKE fragment thing, maybe 
based on your draft).

However, 2 comments:

 1. You can never know if anything is IPR free. At best you can say that nobody 
has said anything yet.

 2. IKE over TCP has worked for over 10 years in my company's products and 
worked well. So the details can be ironed out. The reason we abandoned this 
technology is that the broken SOHO devices began to not only drop fragments, 
but to also drop anything that wasn't TCP to a specific group of ports. 
IKE-over-TCP could not solve this issue.

Yoav

On May 7, 2013, at 3:40 PM, Valery Smyslov <sva...@gmail.com> wrote:

> Hi alll,
> 
> before the meeting I'd like to express some thoughts about the topic.
> 
> First, I think this is a very important problem. Untill we implemented
> IKE fragmentation, many of our "road warrior" customers complained that
> they couldn't use IPsec from public places, like hotels, restaraunts etc.
> Such places often use cheap SOHO NAT boxes, that don't
> pass IP fragments through.
> 
> Second, I (obviously) support draft-smyslov-ipsecme-ikev2-fragmentation
> as solution for IKEv2, for the following reasons:
> 
> 1. comparing with the non-standard IKEv1 mechanism it is more robust
>   to DoS attacks (for the modest price), provides capability for PMTU 
> discovery,
>   well suited for IKEv2 and is IPR free. It is implemented and tested in 
> fields.
> 
> 2. IKE-over-TCP is an interesting solution, but, I think, it became too 
> cumbersome
>   as more details were considered. As usual, devil in details.
> 
> Regards,
> Valery Smyslov.
> 
> 
>> The ipsecme working group is chartered to come up with a solution for 
>> transporting long IKEv2 messages over networks that do not perform IP 
>> fragmentation correctly, and as a result drop overly long messages, usually 
>> IKE_AUTH messages.
>> 
>> We would like to invite the group to a Virtual Interim Meeting (a.k.a. 
>> conference call), to discuss this problem.
>> 
>> Potential outcomes of the meeting include:
>> - The group decides that this is not an important problem.
>> - This is an important problem and we have 1-2 people committed to author a 
>> draft along the lines of the non-standard IKEv1 mechanism.
>> - This is an important problem and the group is happy to adopt 
>> draft-smyslov-ipsecme-ikev2-fragmentation (which solves the same problem in 
>> a somewhat different fashion).
>> - The group still prefers IKE-over-TCP and there are committed authors to 
>> continue work on that draft.
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Email secured by Check Point

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to