headers
Paul Hoffman / VPNC | 1 Sep 2004 01:23

Re: [Ipsec] big IKE packets

It would be a lot easier for those of us who think "let's not 
re-invent TCP in IKEv2" to know what you are talking about if we had 
an Internet Draft will your full proposal for the fragment handling. 
Without that, we'll just keep saying "it's too hard, and it's not 
important enough" and you'll keep saying "it really isn't, and it is 
important".

--Paul Hoffman, Director
--VPN Consortium
Permalink | Reply | 29 comments |
headers
Kivinen | 1 Sep 2004 02:30
Picon
Picon
Favicon

foto

foto


VIRUS INFECTION ALERT

The Gauntlet Firewall&reg discovered a virus in this file. The file was not repaired and has therefore been removed. See your system administrator for further information.

Filename: fotos.zip
Virus name: JS/IllWill

Copyright © 1993-2001, Networks Associates Technology, Inc.
All Rights Reserved.
http://www.pgp.com

_______________________________________________
Ipsec mailing list
Ipsec <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Permalink | Reply | 0 comments |
headers
Michael Richardson | 1 Sep 2004 01:59
Picon

Re: [Ipsec] big IKE packets


>>>>> "VPNC" == VPNC  <Paul> writes:
    VPNC> It would be a lot easier for those of us who think "let's not
    VPNC> re-invent TCP in IKEv2" to know what you are talking about if
    VPNC> we had an Internet Draft will your full proposal for the
    VPNC> fragment handling. Without that, we'll just keep saying "it's
    VPNC> too hard, and it's not important enough" and you'll keep
    VPNC> saying "it really isn't, and it is important".

  Remember, that I'm the guy who thinks that one of the reasons that 
certificates shouldn't be exchanged in-band is because of problems like
this :-)
  I do, however, hate PSK, and want it to go away, so if solving this
problem makes progress, then I'm willing to help.

  I twigged on this after reading parts of the last month of the
pki4ipsec list, and started to think about it in the shower or
something.

  I would be happy to write a document --- but others need to say, "yes,
solving the cert too-big-for-MTU is important".

--
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr <at> xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Permalink | Reply | 27 comments |
headers
Yoav Nir | 1 Sep 2004 09:03
Picon
Favicon

RE: big IKE packets

OK.

Yes, solving the cert too-big-for-MTU is important.

I don't know how representative it is of others' experience, but I can tell
you about my company's experience with IKEv1.  In general, enterprise
gateways have no problems talking to one another using large UDP packets.
The routers allow this, although my experience may be tainted by working
only with modern gateways.

The place where cert-too-big is a problem is for the case of a home user or
small office behind a broadband modem.  These things do drop UDP fragments,
and in many cases they prevent phase 1 from completing.

I'm just not sure Suren's idea is the best way to solve this.  What my
company did was to allow IKE to pass over TCP (we used port 500).  This has
some advantages, and some disadvantages.  I'll list them, as far as we've
learned:

Advantages:
  1. Takes care of long messages and retransmissions.
  2. Since an IKE message has a length field, requires virtually
     no change in the protocol.

Disadvantages:
  1. Like all TCP ports, this is a potential for DOS attacks that
     needs to be mitigated.
  2. When the evil, fragment-dropping router is also a NAT 
     device (nearly always) you cannot open a TCP connection from
     the responder back to the initiator, so you need to have a
     separate phase2 (or CCSA in IKEv2) exchange running with UDP
     after the original exchange so as to map the ports.

Certs are not the only source for messages.  In IKEv1 there were also large
proposals.  In IKEv2 there could be EAP methods, large traffic selectors,
etc.  Things like hash-and-URL solve one problem, but I think IKE over TCP
is a better solution.

Like any proposal, I guess this too falls into the too-late-for-IKEv2
category, but it still could be submitted as a private draft.

-----Original Message-----
From: Michael Richardson
Subject: Re: [Ipsec] big IKE packets 

>>>>> "VPNC" == VPNC  <Paul> writes:
    VPNC> It would be a lot easier for those of us who think "let's not
    VPNC> re-invent TCP in IKEv2" to know what you are talking about if
    VPNC> we had an Internet Draft will your full proposal for the
    VPNC> fragment handling. Without that, we'll just keep saying "it's
    VPNC> too hard, and it's not important enough" and you'll keep
    VPNC> saying "it really isn't, and it is important".

  Remember, that I'm the guy who thinks that one of the reasons that 
certificates shouldn't be exchanged in-band is because of problems like
this :-)
  I do, however, hate PSK, and want it to go away, so if solving this
problem makes progress, then I'm willing to help.

  I twigged on this after reading parts of the last month of the
pki4ipsec list, and started to think about it in the shower or
something.

  I would be happy to write a document --- but others need to say, "yes,
solving the cert too-big-for-MTU is important".
Permalink | Reply | 25 comments |
headers
Francis Dupont | 1 Sep 2004 12:01
Picon
Picon

Re: [Ipsec] big IKE packets

 In your previous mail you wrote:

   Things like hash-and-URL solve one problem, but I think IKE over TCP
   is a better solution.

   Like any proposal, I guess this too falls into the too-late-for-IKEv2
   category, but it still could be submitted as a private draft.

=> if we agree to change UDP for a better protocol, IMHO SCTP is
the best candidate (BTW it was designed for signaling, and IKE is
a signaling protocol).

Regards

Francis.Dupont <at> enst-bretagne.fr

PS: interaction of IKE over SCTP and MOBIKE should give some fun!
Permalink | Reply | 23 comments |
headers
Tero Kivinen | 1 Sep 2004 12:20
Picon
Picon
Favicon

[Ipsec] big IKE packets

Michael Richardson writes:
> I wonder if one solution to the problem of large IKE packets
> (that require fragmentation) wouldn't be to define a fragmentation
> header in IKE.

There is also such method, it is called IP. The IP packets already
offers fragmentation, why should we do it again on the IKE level?

If the operating system vendor who implemented IP stack didn't know
how to make the fragmentation, how can you expect him to be able to
make IKE fragmentation to the IPsec stack of the OS?

The only difference would be the separate acks for fragments, but I do
not think this fragmentation in IKE would really help, as it just adds
one more complicated option, and I think people would be leaving the
implementation of it out from their products.

The HTTP transfer of certificates is much better sulution for that.
--

-- 
kivinen <at> safenet-inc.com
Permalink | Reply | 0 comments |
headers
Tero Kivinen | 1 Sep 2004 12:42
Picon
Picon
Favicon

RE: [Ipsec] big IKE packets

Bob Doud writes:
> Keep in mind that Linux implemenations send out the last
		   ^ Old

> fragment first, so you're going to see a lot of that.  We're
> not going to hold our breath waiting for that to be changed!

No need to hold your breath anymore, I think it has been fixed at
least in 2.6 already.
--

-- 
kivinen <at> safenet-inc.com
Permalink | Reply | 0 comments |
headers
Yoav Nir | 1 Sep 2004 12:31
Picon
Favicon

RE: [Ipsec] big IKE packets

Those stupid DSL routers know (sort-of) how to deal with TCP.  They can live
with UDP (as long as it does not need fragmentation).  They usually drop
ICMP, ESP and AH.  I wouldn't trust them to pass SCTP. 

-----Original Message-----
From: Francis.Dupont <at> enst-bretagne.fr
[mailto:Francis.Dupont <at> enst-bretagne.fr] 
Sent: Wednesday, September 01, 2004 1:02 PM
To: Yoav Nir
Cc: 'Michael Richardson'; 'Paul Hoffman / VPNC'; ipsec <at> lists.tislabs.com;
pki4ipsec <at> honor.icsalabs.com
Subject: Re: [Ipsec] big IKE packets 

 In your previous mail you wrote:

   Things like hash-and-URL solve one problem, but I think IKE over TCP
   is a better solution.

   Like any proposal, I guess this too falls into the too-late-for-IKEv2
   category, but it still could be submitted as a private draft.

=> if we agree to change UDP for a better protocol, IMHO SCTP is
the best candidate (BTW it was designed for signaling, and IKE is
a signaling protocol).

Regards

Francis.Dupont <at> enst-bretagne.fr

PS: interaction of IKE over SCTP and MOBIKE should give some fun!
Permalink | Reply | 21 comments |
headers
Yoav Nir | 1 Sep 2004 13:44
Picon
Favicon

RE: big IKE packets

Oops, sorry. I meant Michael's idea.

-----Original Message-----
From: Yoav Nir [mailto:ynir <at> checkpoint.com] 
Sent: Wednesday, September 01, 2004 10:04 AM
To: 'Michael Richardson'; 'Paul Hoffman / VPNC'
Cc: 'ipsec <at> lists.tislabs.com'; 'pki4ipsec <at> honor.icsalabs.com'
Subject: RE: [Ipsec] big IKE packets 

<snip>

I'm just not sure Suren's idea is the best way to solve this.  What my
company did was to allow IKE to pass over TCP (we used port 500).  This has
some advantages, and some disadvantages.
<snip>
Permalink | Reply | 1 comment |
headers
Paul Koning | 1 Sep 2004 18:51

RE: [Ipsec] big IKE packets

>>>>> "Yoav" == Yoav Nir <ynir <at> checkpoint.com> writes:

 Yoav> Those stupid DSL routers know (sort-of) how to deal with TCP.
 Yoav> They can live with UDP (as long as it does not need
 Yoav> fragmentation).  They usually drop ICMP, ESP and AH.  I
 Yoav> wouldn't trust them to pass SCTP.

To what extent should we pessimize the protocol design to work around
defective network equipment?

	  paul
Permalink | Reply | 11 comments |

Gmane