[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and Fragmentation

To: "M.C.Nelson" <netsec@panix.com>
Subject: Re: IPsec and Fragmentation
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
Date: Mon, 6 Jul 1998 13:55:56 -0400
cc: ipsec@tis.com, heron@us.ibm.com
In-reply-to: netsec's message of "Mon, 06 Jul 1998 13:29:28 -0400". <Pine.SUN.3.94.980706131409.24624A-100000@panix3.panix.com>
References: <Pine.SUN.3.94.980706131409.24624A-100000@panix3.panix.com>
Sender: owner-ipsec@ex.tis.com

In message <Pine.SUN.3.94.980706131409.24624A-100000@panix3.panix.com>, "M.C.Nelson" writes:
> IPSEC WG,
> 
> I just want to add a parenthetic note, that PMTU seems to really be at
> odds with the definition and philosophy of IP,  i.e. IP in general, is
> supposed to be able to fragment packets in route, and routes are in
> general subject  to change. I have some difficulty understanding why an
> appropriate IP encryption standard that is supposed to become general
> usage, would require such dissonances with the general case use of its
> host architecture.

PMTU is an optimisation technique, and is not required for IP to work. It is,
however, strongly recommended, especially for TCP over congested networks. As
a result, many vendors now implemented it in their operating systems. This
leads to the IPsec MUST requirement. Like many other parts of IPsec, the MUST
is "You MUST support this", not "You MUST *use* this".

Fragmentation is exceedingly evil for performance in the face of packet loss
(either due to errors or congestion); See "Fragmentation Considered Harmful"
<http://server3.pa-x.dec.com/wrl/techreports/abstracts/87.3.html> for
details...

-- 
Harald Koch <chk@utcc.utoronto.ca>

References:

Re: IPsec and Fragmentation

From: "M.C.Nelson" <netsec@panix.com>

Prev by Date: Re: IPsec and Fragmentation
Next by Date: Re: IPsec and Fragmentation
Prev by thread: Re: IPsec and Fragmentation
Next by thread: Re: IPsec and Fragmentation
Index(es):
- Main
- Thread