Monday, June 18, 2018

IKEv2 fragments

IKEv2 messages can become extremely large due to  various conditions ( certificate and exchange messages ). So since these messages are UDP  based,  and have no  transport layer mechanism to  determine MTU ( aka MSS  Maximum Segment Size ) the IKEv2 process need to  control fragments at the application layer of the Internet Key Exchange.

So after the IKEv2  IKE_SA_INIT  we need to  set and control the fragments size for future and pending ExChange messages



You can review the  total fragments with in a packet decoder such as wireshark

e.g

NOTE: take note of the SPI for INITIATOR AND RESPONDER 


So we know that  3ea  individual message makes up this IKE_AUTH  message. So during IKEv2 trouble shooting make sure you  are aware of the  total number of fragments and any missed fragments if your experiencing IKEv2 issues.


This is easily accomplish by  both ends packet captures. If a message is  split into  three packets and one is missed, it would be the equal of  "   trying to  read a book with every other word missing"

Now if  IKE messages are missing along the way you can try the following;

1: lower the over all interface MTU but this will affect ALL other traffic types

2:  if the device support IKEv2 fragment mtu-adjust-sive  ( Juniper & Cisco has support for this in various systems  btw )








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \




No comments:

Post a Comment