[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
At 12:35 PM -0400 6/26/03, Henry Spencer wrote:
>On Wed, 25 Jun 2003, Stephen Kent wrote:
>> As we revise 2401, we may choose to allow (or even recommend)
>> plaintext (pre-IPsec encapsulation) fragmentation. If so, we need to
>> be able to negotiate use of this capability on a per-SA basis, and to
>> notify the receiver that NO ciphertext fragments should be accepted
>> for this SA, because none will be sent by this transmitter...
>
>There is a problem here, in that fragmentation is not entirely under the
>control of the transmitter. Intervening gateways may fragment the
>encrypted packets. This situation can change dynamically, as routing
>changes, and the transmitter can't count on getting feedback about it,
>because many firewalls apparently block ICMP Fragmentation Required
>messages.
>
> Henry Spencer
> henry@spsystems.net
Well, I was assuming (but I should have said so explicitly) that the
transmitter, if it negotiated this option, would set the DF bit,
having selected a suitable PMTU. You are right that route changes can
cause the PMTU to change, which would require adaptation by the
transmitter. I also acknowledge the problem posed by firewalls that
block ICMP. However, in many common cases, one will encounter the
IPsec implementation at the firewall, not behind it, and thus this
would be less of a problem.
So, given the residual problems we know about, the question still
stands whether we want to include the option, with the understanding
that the transmitter is the one who will ultimately have to take
responsibility for making this work. The receiver's job is simple,
as all it needs to do, if it wishes, is to reject post-encapsulation
fragments.
Steve