[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
At 10:59 AM -0700 6/26/03, Srinivasa Rao Addepalli wrote:
> Negotiation on SA basis:
> Assuming that intermediate router fragmentation problem is solved,
> does it require negotiation on SA basis? I feel, it can be on peer basis.
> Either it can be set as local configuration on peer basis or capabilities
> of the peers can be exchanged using Vendor ID attributes.
One might choose to do this on an SA basis, because TCP deals well
with PMTU-imposed packet size restrictions, but UDP does not. So, by
allowing per-SA negotiation for this we can accommodate different
protocol capabilities re PMTU.
> Port Selector information:
> I did not understand all the details you mentioned. I feel, there
>is no need
> for any IKE negotiation for tunnel mode sessions. I try to list down the
> Outbound Processing steps:
> - Reassemble the packet (Packet coming from trusted network).
NO. there is no implied reassembly by the transmitter.
I won't comment on the rest of your message since this assumption was
not right and it may influence later parts of your message.