[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec



At 12:35 PM -0400 6/26/03, Henry Spencer wrote:
>On Wed, 25 Jun 2003, Stephen Kent wrote:
>>  As we revise 2401, we may choose to allow (or even recommend)
>>  plaintext (pre-IPsec encapsulation) fragmentation. If so, we need to
>>  be able to negotiate use of this capability on a per-SA basis, and to
>>  notify the receiver that NO ciphertext fragments should be accepted
>>  for this SA, because none will be sent by this transmitter...
>
>There is a problem here, in that fragmentation is not entirely under the
>control of the transmitter.  Intervening gateways may fragment the
>encrypted packets.  This situation can change dynamically, as routing
>changes, and the transmitter can't count on getting feedback about it,
>because many firewalls apparently block ICMP Fragmentation Required
>messages.
>
>                                                           Henry Spencer
>                                                        henry@spsystems.net

Well, I was assuming (but I should have said so explicitly) that the 
transmitter, if it negotiated this option, would set the DF bit, 
having selected a suitable PMTU. You are right that route changes can 
cause the PMTU to change, which would require adaptation by the 
transmitter.  I also acknowledge the problem posed by firewalls that 
block ICMP.  However, in many common cases, one will encounter the 
IPsec implementation at the firewall, not behind it, and thus this 
would be less of a problem.

So, given the residual problems we know about, the question still 
stands whether we want to include the option, with the understanding 
that the transmitter is the one who will ultimately have to take 
responsibility for making this work.  The receiver's job is simple, 
as all it needs to do, if it wishes, is to reject post-encapsulation 
fragments.

Steve