[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MTU considerations (was: Public key distribution methods?)
Stephen Kent writes:
> To be fair, there are some limitations with this approach. First, it
> means moving more bits across the wire during SA establishment, and
> we have seen some problems re fragmentation when the IKE UDP packets
> get big, e.g., as a result of packing in too many certs/CRLs.
Honestly, I'm sort of surprised that this wg
hasn't been bludgeoned by the transport police
about this. My understanding is that certs are
quite often in and of themselves bigger than
ethernet max MTU which means that IKE phase I is
fragmenting in a significant set of cases.
Should this have been reflected in the
requirements? I'm not suggesting a solution here,
but I'd think that for large VPN concentrators
during restart conditions this may be an not
insignificant issue.
Mike