[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] big IKE packets

To: "'Michael Richardson'" <mcr@sandelman.ottawa.on.ca>, "'Paul Hoffman / VPNC'" <paul.hoffman@vpnc.org>
Subject: RE: [Ipsec] big IKE packets
From: "Yoav Nir" <ynir@checkpoint.com>
Date: Wed, 1 Sep 2004 10:03:56 +0300
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
In-reply-to: <27208.1093996792@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Organization: Check Point
Sender: ipsec-bounces@ietf.org
Thread-index: AcSPuexWQI0qcq08TU2bFGcKcsNcxgAM9PSA

OK.

Yes, solving the cert too-big-for-MTU is important.

I don't know how representative it is of others' experience, but I can tell
you about my company's experience with IKEv1.  In general, enterprise
gateways have no problems talking to one another using large UDP packets.
The routers allow this, although my experience may be tainted by working
only with modern gateways.

The place where cert-too-big is a problem is for the case of a home user or
small office behind a broadband modem.  These things do drop UDP fragments,
and in many cases they prevent phase 1 from completing.

I'm just not sure Suren's idea is the best way to solve this.  What my
company did was to allow IKE to pass over TCP (we used port 500).  This has
some advantages, and some disadvantages.  I'll list them, as far as we've
learned:

Advantages:
  1. Takes care of long messages and retransmissions.
  2. Since an IKE message has a length field, requires virtually
     no change in the protocol.

Disadvantages:
  1. Like all TCP ports, this is a potential for DOS attacks that
     needs to be mitigated.
  2. When the evil, fragment-dropping router is also a NAT 
     device (nearly always) you cannot open a TCP connection from
     the responder back to the initiator, so you need to have a
     separate phase2 (or CCSA in IKEv2) exchange running with UDP
     after the original exchange so as to map the ports.

Certs are not the only source for messages.  In IKEv1 there were also large
proposals.  In IKEv2 there could be EAP methods, large traffic selectors,
etc.  Things like hash-and-URL solve one problem, but I think IKE over TCP
is a better solution.

Like any proposal, I guess this too falls into the too-late-for-IKEv2
category, but it still could be submitted as a private draft.

-----Original Message-----
From: Michael Richardson
Subject: Re: [Ipsec] big IKE packets 


>>>>> "VPNC" == VPNC  <Paul> writes:
    VPNC> It would be a lot easier for those of us who think "let's not
    VPNC> re-invent TCP in IKEv2" to know what you are talking about if
    VPNC> we had an Internet Draft will your full proposal for the
    VPNC> fragment handling. Without that, we'll just keep saying "it's
    VPNC> too hard, and it's not important enough" and you'll keep
    VPNC> saying "it really isn't, and it is important".

  Remember, that I'm the guy who thinks that one of the reasons that 
certificates shouldn't be exchanged in-band is because of problems like
this :-)
  I do, however, hate PSK, and want it to go away, so if solving this
problem makes progress, then I'm willing to help.

  I twigged on this after reading parts of the last month of the
pki4ipsec list, and started to think about it in the shower or
something.

  I would be happy to write a document --- but others need to say, "yes,
solving the cert too-big-for-MTU is important".



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] big IKE packets
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Next by Date: ietf.org mailing list memberships reminder
Next by thread: Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread