[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TO COMPRESS OR NOT TO CMPRS (please reply)

To: "C. Harald Koch" <chk@utcc.utoronto.ca>
Subject: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Wed, 19 Feb 1997 14:26:22 -0500
Cc: ipsec@tis.com
In-Reply-To: chk's message of Wed, 19 Feb 1997 14:10:33 -0500. <97Feb19.141142est.11653@elgreco.rnd.border.com>
Sender: owner-ipsec@ex.tis.com

> Yes, but isn't that a Hard Problem (tm) unless you keep state (either
> "virtual interfaces" or individual packets) at the tunnel endpoints?

Well, given that you already need per-outbound-SA state (for the
session key and replay detection) this doesn't seem to be a major
burden.  A per-outbound-SA MTU would seem to be the Right Answer..

> How else do you convert an ICMP Fragmentation Required message for a
> tunneled (and auth'd and 'crypted) packet back into an ICMP
> Fragmentation Required for the original, untunnelled packet?

well, one "cheat" occurs to me: don't send a "FR" when you receive a
FR; instead, just record the MTU and let the packet fall on the floor;
if it was important, the sender will retransmit it; when this happens,
and (assuming it's too large), generate a new "fragmentation required"
ICMP message.  One drawback is that it takes two packets (instead of
one) for a new tunnel to learn the MTU..

					- Bill

References:

Re: TO COMPRESS OR NOT TO CMPRS (please reply)

From: "C. Harald Koch" <chk@utcc.utoronto.ca>

Prev by Date: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Next by Date: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Prev by thread: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Next by thread: RE: TO COMPRESS OR NOT TO CMPRS (please reply)
Index(es):
- Main
- Thread