[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
From: Henry Spencer <henry@spsystems.net>
Date: Thu, 26 Jun 2003 12:35:18 -0400 (EDT)
In-Reply-To: <p05210618bb1fd593f2a0@[10.1.71.211]>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 25 Jun 2003, Stephen Kent wrote:
> As we revise 2401, we may choose to allow (or even recommend) 
> plaintext (pre-IPsec encapsulation) fragmentation. If so, we need to 
> be able to negotiate use of this capability on a per-SA basis, and to 
> notify the receiver that NO ciphertext fragments should be accepted 
> for this SA, because none will be sent by this transmitter...

There is a problem here, in that fragmentation is not entirely under the
control of the transmitter.  Intervening gateways may fragment the
encrypted packets.  This situation can change dynamically, as routing
changes, and the transmitter can't count on getting feedback about it,
because many firewalls apparently block ICMP Fragmentation Required
messages. 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IKEv2 selectors for IPsec?
Next by Date: Re: IKE negotiation for ICMP message type selectors
Prev by thread: Re: IKE negotiation for fragmentation controls in IPsec
Next by thread: Re: IKE negotiation for fragmentation controls in IPsec
Index(es):
- Date
- Thread