[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

To: Henry Spencer <henry@spsystems.net>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Mon, 30 Jun 2003 17:20:48 +0200
cc: IP Security List <ipsec@lists.tislabs.com>
In-reply-to: Your message of Thu, 26 Jun 2003 12:35:18 EDT. <Pine.BSI.3.91.1030626122847.25839B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   There is a problem here, in that fragmentation is not entirely under the
   control of the transmitter.  Intervening gateways may fragment the
   encrypted packets.  This situation can change dynamically, as routing
   changes, and the transmitter can't count on getting feedback about it,
   because many firewalls apparently block ICMP Fragmentation Required
   messages. 
   
=> Two comments:
 - IPv6 fragmentation is end to end, i.e., no intervening router
   may fragment the packets. So this issue exists only for IPv4.
 - current IPv4 path MTU discovery doesn't work. I use an ESP tunnel
   between two KAME boxes (one at home, one in labs) over PPPoE and
   it was a real nightmare to fix (KAME IPsec doesn't handle MTU,
   a lot of sites are over paranoid firewalls, a router of my ISP
   drops large packets when it should fragment them, etc).
So this is a can of worms and IMHO we should test proposed solutions
in the real world before engrave something in the stone.

Regards

Francis.Dupont@enst-bretagne.fr

References:
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: QoS selectors (was LAST CALL: IKE)
Next by Date: Re: IKE negotiation for fragmentation controls in IPsec
Prev by thread: Re: IKE negotiation for fragmentation controls in IPsec
Next by thread: Re: IKE negotiation for fragmentation controls in IPsec
Index(es):
- Date
- Thread