RE: MS-Frag extension to L2TP/IPSec NAT-T

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 24 Nov 2003 21:06:45 +0100

Hi John,

that was not the answer I was expecting ;-)

When you use PPTP with EAP/TLS or L2TP/IPSec you need to exchange
certificate chains. In most cases this inherently results in IP fragments
created at the VPN endpoints. This is a well-known issue. Moreover, the IETF
IPSec working group has refused to solve that fundamental IP fragment
problem when designing the new IPSec NAT-T.

On customer demand, Microsoft has implemented in the new L2TP/IPSec NAT-T
stacks an MS-Frag extension. When both endpoints supports the MS-Frag
extension, IP fragments will no longer occure because the fragmentation will
be done on a much higher level in the protocol stack. From what I heard,
Microsoft has designed the MS-Frag extension as an open protocol extension
and made it public available on MSDN. However, I can't find it anywhere.

For more info about MS-Frag, check out:
- http://www.microsoft.com/usa/webcasts/ondemand/2323.asp
- http://downloads.mymsevents.com/files/Events/30/3513/SEC406_Riley.ppt


Thanks,
Stefaan

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: maandag 24 november 2003 7:56
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: MS-Frag extension to L2TP/IPSec NAT-T


http://www.ISAserver.org

The great Stefaan asking a question of us? Wow, I am honored.

Problem with forcing no fragmentation is that you do not always get an
accurate packet size negotiation. This can be because of black holes,
firewalls or routers set to Ignore Do not fragment bit, improper web server
configurations which can block the packet size discovery, PPPoE connections
and others. I have even seen references to turn off PMTU size discovery. In
these cases, you then also need to ensure the computer is set to use smaller
size packets from the beginning.

FYI, when I or clients have had problems, a MTU size of 1404 in the registry
has always solved it.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
> Sent: Sunday, November 23, 2003 7:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] MS-Frag extension to L2TP/IPSec NAT-T
>
> http://www.ISAserver.org
>
> Hey guys,
>
> in numerous excellent webcasts and presentations about IPSec and NAT-T,
> Steve Riley talks about a Microsoft extension MS-Frag to prevent IP
> fragmentation when certificates are used for machine and/or user
> authentication. It is my understanding that the specifications of this
> extension was public available. However, I don't seems to find it ;-(
>
> Can anybody point me in the right direction?
>
> Thanks,
> Stefaan
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T
• » RE: MS-Frag extension to L2TP/IPSec NAT-T

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---