[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about reassembly and fragmentation
Scott Fluhrer wrote:
I assume that the following are recurring arguments:
> - The end application is too stupid to understand PMTU
I would think this only applies in the transmport mode case.
The end application shouldn't be the issue -- its OS should take care of this.
If the OS is too stupid to have PMTU then it likely won't have IPsec.
> - There's a firewall between the security gateway and the end system which
> drops all ICMP messages
If someone has a broken or misconfigured firewall, then why do we presume it
will pass any of the IPsec traffic (ports 500, 50 or 51)? Ex: if someone has
some clampled down firewall that only allows initiating tcp/25 outgoing, then
it's not going to allow IPsec through either.
> In either of these cases, PMTU doesn't work. And hence, we're either going to
> stop supporting those legacy networks, or we're just going to allow security
> gateways to fragment anyways.
Are these old legacy networks with obsolete firewalls and OSs a problem worth
solving? Disallowing fragments is a big win, If it can reduce HW costs and
time to deployment, as well as reduce DOS risks, then the restriction seems
worthwhile.
As the Internet moves to more and more tunneling (such as MPLS), the need for
PMTU will increase. Go with the flow.
-david waitzman
�