[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

On Wed, 25 Jun 2003, Stephen Kent wrote:
> As we revise 2401, we may choose to allow (or even recommend) 
> plaintext (pre-IPsec encapsulation) fragmentation. If so, we need to 
> be able to negotiate use of this capability on a per-SA basis, and to 
> notify the receiver that NO ciphertext fragments should be accepted 
> for this SA, because none will be sent by this transmitter...

There is a problem here, in that fragmentation is not entirely under the
control of the transmitter.  Intervening gateways may fragment the
encrypted packets.  This situation can change dynamically, as routing
changes, and the transmitter can't count on getting feedback about it,
because many firewalls apparently block ICMP Fragmentation Required

                                                          Henry Spencer