[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MTU considerations (was: Public key distribution methods?)



At 10:20 AM -0800 11/6/02, Michael Thomas wrote:
>Stephen Kent writes:
>  > To be fair, there are some limitations with this approach. First, it
>  > means moving more bits across the wire during SA establishment, and
>  > we have seen some problems re fragmentation when the IKE UDP packets
>  > get big, e.g., as a result of packing in too many certs/CRLs.
>
>Honestly, I'm sort of surprised that this wg
>hasn't been bludgeoned by the transport police
>about this. My understanding is that certs are
>quite often in and of themselves bigger than
>ethernet max MTU which means that IKE phase I is
>fragmenting in a significant set of cases.
>
>Should this have been reflected in the
>requirements? I'm not suggesting a solution here,
>but I'd think that for large VPN concentrators
>during restart conditions this may be an not
>insignificant issue.
>

The size of a cert varies depending on many things, including the 
choice of name style.  But in my experience it would be in accurate 
to say that an individual cert is quite often bigger than the 1500 
byte Ethernet MTU.

Steve