[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
In your previous mail you wrote:
There is a problem here, in that fragmentation is not entirely under the
control of the transmitter. Intervening gateways may fragment the
encrypted packets. This situation can change dynamically, as routing
changes, and the transmitter can't count on getting feedback about it,
because many firewalls apparently block ICMP Fragmentation Required
=> Two comments:
- IPv6 fragmentation is end to end, i.e., no intervening router
may fragment the packets. So this issue exists only for IPv4.
- current IPv4 path MTU discovery doesn't work. I use an ESP tunnel
between two KAME boxes (one at home, one in labs) over PPPoE and
it was a real nightmare to fix (KAME IPsec doesn't handle MTU,
a lot of sites are over paranoid firewalls, a router of my ISP
drops large packets when it should fragment them, etc).
So this is a can of worms and IMHO we should test proposed solutions
in the real world before engrave something in the stone.