[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: [Ipsec] big IKE packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 01 Sep 2004 18:37:05 -0400
Cc: ipsec@lists.tislabs.com, ynir@checkpoint.com, pki4ipsec@honor.icsalabs.com
In-reply-to: Message from Paul Koning <pkoning@equallogic.com> of "Wed,01 Sep 2004 16:54:42 EDT." <16694.14098.898026.4193@gargle.gargle.HOWL>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <200409011001.i81A1gSj053026@givry.rennes.enst-bretagne.fr><200409011031.i81AVIu19463@michael.checkpoint.com><16693.65040.525143.196105@gargle.gargle.HOWL><4728C348-FC4F-11D8-97AA-000393AD410A@checkpoint.com><16694.14098.898026.4193@gargle.gargle.HOWL>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
>>>>> "Yoav" == Yoav Nir <ynir@checkpoint.com> writes:

    Yoav> To quite a large extent.  If that equipment worked correctly,
    Yoav> it would be able to work with fragments, and we could do with
    Yoav> UDP and ESP, no need for NAT-T.

    Yoav> As it is, TCP is supported by all equipment, and is
    Yoav> implemented in every operating system.  Who uses SCTP?

    Paul> Not many people use SCTP.  But it is an IETF standard.  It has
    Paul> been suggested as a suitable protocol.  If we decide not to
    Paul> use it for technical reasons, that's fine.  But I don't think
    Paul> "we can't use good protocol X because there are crummy network
    Paul> equipment vendors who mess up that protocol" is a good policy.

  Should we define a standard way to do IKE over SCTP? Yes.

  Does it solve the problem at hand? Unfortunately not.

Let me state the problem again:

Statement 1: IKE (v1 and v2) can create UDP datagrams which are larger
	     than the MTU.

Statement 2: IP permits these datagrams to be fragmented by the sender,
	     such that the receiver can assemble them.

Statement 3: there exist faulty network devices which attempt to filter
	     based upon port numbers, and fail when the datagrams are
	     fragmented.

Assumptions/Notes

Statement 1
a) If the only source of large IKE packets is certificates, then there are
   other mechanisms for exchanging certificates. They include HTTP, LDAP,
   possibly HTTP POST from the "road warrior" to the gateway, etc.

   I.e. we don't need to solve this problem in IKE.

b) There are are other reasons why IKE datagrams can be large.
   One reason in IKEv1 is proposals. 
       Postulate: IKEv2 mitigates this to the point where it doesn't matter.
		

Statement 2

a) A gateway may wish to never have to assemble fragments for port-500
   to avoid fragment attacks.

Statement 3

a) The broken equipment can not be replaced.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

	





	
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTZPEIqHRg3pndX9AQHwhwP/bETMfs3jZY/kf/6xhs+O/xYbEBE8T6mf
QxvQCFRcXnFk1jSFA5h/OMw0J6B/sBvy48/TjPJ+RyCrb7vkBlIuggRcmkbZVxeO
w3z8mG8J/4AXD7v35odme0zoxNR0YjHbLw3uWw3qTpml3zOt7mxLEVglcJkaTcH3
QOeJUVL2cuQ=
=Cvwg
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- Re: [Ipsec] big IKE packets
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- RE: [Ipsec] big IKE packets
  - From: "Yoav Nir" <ynir@checkpoint.com>
- RE: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Yoav Nir <ynir@checkpoint.com>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re:[Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread