[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

At 10:59 AM -0700 6/26/03, Srinivasa Rao Addepalli wrote:
>Hi Steve,
>   Negotiation on SA basis:
>   Assuming that intermediate router fragmentation problem is solved,
>   does it require negotiation on SA basis? I feel, it can be on peer basis.
>   Either it can be set as local configuration on peer basis or capabilities
>   of the peers can be exchanged using Vendor ID attributes.

One might choose to do this on an SA basis, because TCP deals well 
with PMTU-imposed packet size restrictions, but UDP does not.  So, by 
allowing per-SA negotiation for this we can accommodate different 
protocol capabilities re PMTU.

>    Port Selector information:
>    I did not understand all the details you mentioned. I feel, there 
>is no need
>    for any IKE negotiation for tunnel mode sessions. I try to list down the
>    steps.
>       Outbound Processing steps:
>              - Reassemble the packet (Packet coming from trusted network).

NO. there is no implied reassembly by the transmitter.

I won't comment on the rest of your message since this assumption was 
not right and it may influence later parts of your message.