[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

fragmentation

To: ipsec@lists.tislabs.com
Subject: fragmentation
From: Sami Vaarala <sami.vaarala@netseal.com>
Date: Thu, 13 Dec 2001 01:46:15 +0200 (EET)
Sender: owner-ipsec@lists.tislabs.com


Since you can't rely on getting an icmp when your packet
is too large, and you can't be certain that frags pass
through routers, what is left?

What if the IPsec endpoints used the DF-bit and an MTU
discovery that *didn't* rely on icmp?  One could use e.g.
encrypted ping packets (of varying sizes, with df set)
to ensure that the route between the endpoints is capable
of handling them.  This way, there is no need to rely
on unprotected icmps (if you would happen to get them),
or on the behavior of the routers in between.

An ordinary MTU discovery mechanism can be implemented
on top of the encrypted ping.

(Maybe this has already been suggested?)

-Sami

Follow-Ups:

Re: fragmentation

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: comments on jfk and ikev2 drafts
Next by Date: Re: fragmentation
Prev by thread: Re: JFK, IKEv2 and ESPUDP
Next by thread: Re: fragmentation
Index(es):
- Main
- Thread