Paul Hoffman <paul.hoff...@vpnc.org> wrote: >> Recently discovered incorrect behavior of ISPs poses a challenge to >> IKE, whose UDP messages (especially #3 and #4) sometimes get >> fragmented at the IP level and then dropped by these ISPs. There is >> interest in solving this issue by allowing transport of IKE over TCP; >> this is currently implemented by some vendors. The group will >> standardize such a solution.
I think that we gave up over TCP, and have back to fragmentation inside IKE, right? >> The WG will revise the IKEv2 specification with a small number of >> mandatory tests required for the secure operation of IKEv2 when using >> elliptic curve cryptography. This work will be based on >> draft-sheffer-ipsecme-dh-checks. I think we already completed this? >> Goals and Milestones: >> >> Done - IETF Last Call on large scale VPN use cases and requirements >> Done - IETF last call on IKE fragmentation solution Done - IETF last >> call on new mandatory-to-implement algorithms Seems like we should have more milestones listed. I'd like to make the puzzle solving work charter. I imagine that this is a real problem, but I wouldn't mind some data on how often gateways are being DDoSed. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
pgpM1Y2GN5Yo_.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec