During field testing of post-quantum IKEv2 over UDP, we observed a high rate of retransmissions involving IKEv2 fragments. In real-world deployments, the same fragment was consistently lost, causing repeated all fragments retransmissions as required by RFC 7383. In some cases, the peers failed to complete the exchange even after more than 50 retries, indicating that the current recovery behavior is insufficient for large PQC-sized messages over UDP.
We have been exploring incremental updates to IKEv2 over UDP to improve fragment recovery reliability—without introducing the complexity of a new transport protocol; without TCP as propsed in draft-ietf-ipsecme-ikev2-reliable-transport. The draft below outlines our initial ideas for selective fragment acknowledgment and receiver-assisted retransmission control Feedback, concerns, and suggestions are very welcome. Anyone else experiece similar issues? Any other solutions? -antony ----- Forwarded message from [email protected] ----- Date: Wed, 19 Nov 2025 06:34:13 -0800 From: [email protected] To: Antony Antony <[email protected]>, Steffen Klassert <[email protected]>, Tobias Brunner <[email protected]> Subject: New Version Notification for draft-antony-ipsecme-ikev2-fragment-acknowledgment-01.txt A new version of Internet-Draft draft-antony-ipsecme-ikev2-fragment-acknowledgment-01.txt has been successfully submitted by Antony Antony and posted to the IETF repository. Name: draft-antony-ipsecme-ikev2-fragment-acknowledgment Revision: 01 Title: IKEv2 Fragment Acknowledgment Extension Date: 2025-11-19 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-antony-ipsecme-ikev2-fragment-acknowledgment-01.txt Status: https://datatracker.ietf.org/doc/draft-antony-ipsecme-ikev2-fragment-acknowledgment/ HTML: https://www.ietf.org/archive/id/draft-antony-ipsecme-ikev2-fragment-acknowledgment-01.html HTMLized: https://datatracker.ietf.org/doc/html/draft-antony-ipsecme-ikev2-fragment-acknowledgment Diff: https://author-tools.ietf.org/iddiff?url2=draft-antony-ipsecme-ikev2-fragment-acknowledgment-01 Abstract: This document specifies an extension to the Internet Key Exchange Protocol Version 2 (IKEv2) that enables acknowledgment of IKEv2 message fragments over UDP. The mechanism allows an IKE peer to confirm reception of individual fragments during the IKE_AUTH exchange and any subsequent exchanges where IKEv2 Fragmentation is used. Support for this feature is negotiated using a new Notify Message Status Type during IKE_SA_INIT, and fragment acknowledgments are exchanged using a separate Notification payload. This extension improves reliability when large IKE messages are exchanged, such as those containing post-quantum cryptography (PQC) payloads, and reduces retransmission overhead, thereby improving IKEv2 round-trip times in lossy network conditions. The IETF Secretariat ----- End forwarded message ----- _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
