[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] big IKE packets
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
>>>>> "Yoav" == Yoav Nir <ynir@checkpoint.com> writes:
Yoav> To quite a large extent. If that equipment worked correctly,
Yoav> it would be able to work with fragments, and we could do with
Yoav> UDP and ESP, no need for NAT-T.
Yoav> As it is, TCP is supported by all equipment, and is
Yoav> implemented in every operating system. Who uses SCTP?
Paul> Not many people use SCTP. But it is an IETF standard. It has
Paul> been suggested as a suitable protocol. If we decide not to
Paul> use it for technical reasons, that's fine. But I don't think
Paul> "we can't use good protocol X because there are crummy network
Paul> equipment vendors who mess up that protocol" is a good policy.
Should we define a standard way to do IKE over SCTP? Yes.
Does it solve the problem at hand? Unfortunately not.
Let me state the problem again:
Statement 1: IKE (v1 and v2) can create UDP datagrams which are larger
than the MTU.
Statement 2: IP permits these datagrams to be fragmented by the sender,
such that the receiver can assemble them.
Statement 3: there exist faulty network devices which attempt to filter
based upon port numbers, and fail when the datagrams are
fragmented.
Assumptions/Notes
Statement 1
a) If the only source of large IKE packets is certificates, then there are
other mechanisms for exchanging certificates. They include HTTP, LDAP,
possibly HTTP POST from the "road warrior" to the gateway, etc.
I.e. we don't need to solve this problem in IKE.
b) There are are other reasons why IKE datagrams can be large.
One reason in IKEv1 is proposals.
Postulate: IKEv2 mitigates this to the point where it doesn't matter.
Statement 2
a) A gateway may wish to never have to assemble fragments for port-500
to avoid fragment attacks.
Statement 3
a) The broken equipment can not be replaced.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQTZPEIqHRg3pndX9AQHwhwP/bETMfs3jZY/kf/6xhs+O/xYbEBE8T6mf
QxvQCFRcXnFk1jSFA5h/OMw0J6B/sBvy48/TjPJ+RyCrb7vkBlIuggRcmkbZVxeO
w3z8mG8J/4AXD7v35odme0zoxNR0YjHbLw3uWw3qTpml3zOt7mxLEVglcJkaTcH3
QOeJUVL2cuQ=
=Cvwg
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec