[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

 In your previous mail you wrote:

   There is a problem here, in that fragmentation is not entirely under the
   control of the transmitter.  Intervening gateways may fragment the
   encrypted packets.  This situation can change dynamically, as routing
   changes, and the transmitter can't count on getting feedback about it,
   because many firewalls apparently block ICMP Fragmentation Required
=> Two comments:
 - IPv6 fragmentation is end to end, i.e., no intervening router
   may fragment the packets. So this issue exists only for IPv4.
 - current IPv4 path MTU discovery doesn't work. I use an ESP tunnel
   between two KAME boxes (one at home, one in labs) over PPPoE and
   it was a real nightmare to fix (KAME IPsec doesn't handle MTU,
   a lot of sites are over paranoid firewalls, a router of my ISP
   drops large packets when it should fragment them, etc).
So this is a can of worms and IMHO we should test proposed solutions
in the real world before engrave something in the stone.