Re: [IPsec] IPsecME virtual interim meeting (revised date)

"Valery Smyslov" <> Tue, 07 May 2013 12:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 475F221F8E2C for <>; Tue, 7 May 2013 05:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uNZ2LOsvBogk for <>; Tue, 7 May 2013 05:41:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1445421F8E5F for <>; Tue, 7 May 2013 05:41:14 -0700 (PDT)
Received: by with SMTP id y6so661893lbh.3 for <>; Tue, 07 May 2013 05:41:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:x-mimeole; bh=xK3YNXjZHqnxP1/li8wgGK+1Igi9UBC9WjHsopUANFY=; b=Ik46CQW2Ynrq9IXg55WlT3YR7+5f/eF4VRUo2NOH0ka++XwE8JE5aZup+hiDvx0Rca FIYxRdsk9m/kAxHfD3YpNyXE3EDWDbei6mlGXD+CbIhXp0wDO9mdHQArDE/gFgLdHT/s QW5cKK2/zjw1lPIJ1RUk8U0AMO8+EwveqAgsGCTHYu5aO9N1f2xtx8ktm1jxluQ+GB4h d7F7mFwcUP2d7FeDTywmCNRjyXIY0faVqtLMCBBp6DrCLIYKiejsmp8rEQYtQBxSfKRO RwNt18z8sGOpk/NJdEtqyvhvcl4bGsOc5I3uznQuqHBZDOCssd5b4rE3BwdGO0rjwPW0 i0CQ==
X-Received: by with SMTP id ac8mr913301lbc.115.1367930474044; Tue, 07 May 2013 05:41:14 -0700 (PDT)
Received: from buildpc ([]) by with ESMTPSA id t17sm10211537lbd.11.2013. for <> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 07 May 2013 05:41:13 -0700 (PDT)
Message-ID: <1D5C3857EF7C48AF9A952CB5AEA3CB21@buildpc>
From: Valery Smyslov <>
To: IPsecme WG <>
References: <>
Date: Tue, 07 May 2013 16:40:58 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] IPsecME virtual interim meeting (revised date)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 May 2013 12:41:26 -0000

Hi alll,

before the meeting I'd like to express some thoughts about the topic.

First, I think this is a very important problem. Untill we implemented
IKE fragmentation, many of our "road warrior" customers complained that
they couldn't use IPsec from public places, like hotels, restaraunts etc.
Such places often use cheap SOHO NAT boxes, that don't
pass IP fragments through.

Second, I (obviously) support draft-smyslov-ipsecme-ikev2-fragmentation
as solution for IKEv2, for the following reasons:

1. comparing with the non-standard IKEv1 mechanism it is more robust
    to DoS attacks (for the modest price), provides capability for PMTU 
    well suited for IKEv2 and is IPR free. It is implemented and tested in 

2. IKE-over-TCP is an interesting solution, but, I think, it became too 
    as more details were considered. As usual, devil in details.

Valery Smyslov.

> The ipsecme working group is chartered to come up with a solution for 
> transporting long IKEv2 messages over networks that do not perform IP 
> fragmentation correctly, and as a result drop overly long messages, 
> usually IKE_AUTH messages.
> We would like to invite the group to a Virtual Interim Meeting (a.k.a. 
> conference call), to discuss this problem.
> Potential outcomes of the meeting include:
> - The group decides that this is not an important problem.
> - This is an important problem and we have 1-2 people committed to author 
> a draft along the lines of the non-standard IKEv1 mechanism.
> - This is an important problem and the group is happy to adopt 
> draft-smyslov-ipsecme-ikev2-fragmentation (which solves the same problem 
> in a somewhat different fashion).
> - The group still prefers IKE-over-TCP and there are committed authors to 
> continue work on that draft.