Re: IKE negotiation for fragmentation controls in IPsec

[Stephen Kent <kent@bbn.com>]

At 10:44 +0530 7/3/03, Ravi wrote:
>Umm... The routers in between Security gateways can fragment
>         the packets and how does the receiving SG behave? One way
>         to ensure that the routers in between don't fragment is by attaching
>         DF bit by transmitting SG and handling of ICMP PMTU messages.
>
>         You seem to be suggesting that there could be active IP ID hijacking
>          and confuse the receiving router and make SG to discard valid
>         packets. Isn't this problem such a big problem? If so, majority of
>         applications should fail.
>
>         Also, if a hijacker can do this, why can't he/she spoof ICMP
>         PMTU message to confuse the sender.
>
>         Only other solution I could think of: Send the IP packet of length
>         which is acceptable by  all routers, I think it is around 
>570 bytes or so.
>         But performance is going to be very bad and I don't think it 
>is acceptable.
>
>         If this feature to be implemented, there should be a way to find out
>         the maximum path MTU using some other method. One way I could
>         think on top of my head is:
>         Sending SG finds out the path MTU periodically by starting with
>         1500 byte packet and reducing the packet size until the receiver
>          receives it successfully. Receiver once receives the packet should
>         ACK it. Sender should wait for some time before it reduces the packet
>         size. Even this protocol also should be protected from 
>hijacker in the middle.
>
>         Thanks
>          Ravi
>

Ravi,

I can't understand what you are trying to say above.  the wording is 
just too confusing.  try again.

Steve