Re: I-D ACTION:draft-ietf-ipsec-arch-sec-02.txt

[Mohan.Parthasarathy@Eng.Sun.Com (Mohan Parthasarathy)]

I have a clarification to make regarding the ICMP PMTU
calcualtion. I want to make sure that my understanding
is right regarding this though it could be just some
implementation details.

In section 6.1.2.2 and section B.3.2, there is some
discussion regarding PMTU calculation. 

>The calculation of PMTU from an ICMP PMTU has to take into account
>the addition of any IPsec header by H1 -- AH and/or ESP transport, or
>ESP or AH tunnel.

Is this true in general or it discusses the specific case of
security gateway example ?

I understand that in the case of Security Gateway
reporting the PMTU to the host, it should account for the
additional IPSEC header that it would insert for that host.
In the case of end-to-end host implementing IPSEC (integrated
with IP) the host receiving the PMTU need not adjust for
the IPSEC header and report the PMTU directly to the upper
layers. Before even the datagram goes out, the MTU stored
at the socket level should take care of the extra IPSEC headers.
Is this right ? 

The document discusses the issues of authenticated and 
unauthenticated ICMP messages. But the IP datagram that
is being returned (attached to the ICMP message) may not
be the real one. Somebody can fake this one. Should this
be mentioned somewhere so that the implementor can think
of someway to handle this e.g logging the message etc.?

-mohan

---

Follow-Ups:

• Re: I-D ACTION:draft-ietf-ipsec-arch-sec-02.txt
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: Auto filter rule generation for Phase 2 tunnels
• Next by Date: modifications in draft-ietf-ippcp-protocol-02.txt
• Prev by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
• Next by thread: Re: I-D ACTION:draft-ietf-ipsec-arch-sec-02.txt
• Index(es):
  • Main
  • Thread