[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

To: "Srinivasa Rao Addepalli" <srao@intotoinc.com>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Thu, 26 Jun 2003 20:36:11 -0400
cc: ipsec@lists.tislabs.com, "Stephen Kent" <kent@bbn.com>
In-Reply-To: Your message of "Thu, 26 Jun 2003 10:36:36 PDT." <090701c33c09$7ebd6720$0202a8c0@SindhuSriha>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> I keep hearing that most (may be some) firewalls can be explicitly
> configured to discard ICMP error messages.

It's worse than that.  Very many firewalls in the as-built internet
are configured to drop all ICMP packets.

I recommend attempting to visit a broad sampling of web sites (using
http and https) from a client which:

 1) advertises a TCP MSS of 1460 (corresponding to a 1500 byte MTU)

 2) has a <1500-byte MTU on the path due to tunnels, PPPoE, or other
    bottleneck links.

You will most likely discover that many of these sites will not
successfully talk to you or mysteriously hang mid-transaction.

I believe there's an alternate path mtu discovery proposal in the
works (there was a "plpmtud" BOF last IETF; I haven't followed what
happened to it).

						- Bill

References:
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: "Srinivasa Rao Addepalli" <srao@intotoinc.com>

Prev by Date: Re: issue with "per-interface SAD/SPD"
Next by Date: Re: Suggested wording for weak key lengths in IKEv2
Prev by thread: Re: IKE negotiation for fragmentation controls in IPsec
Next by thread: Re: IKE negotiation for fragmentation controls in IPsec
Index(es):
- Date
- Thread