[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
At 10:44 +0530 7/3/03, Ravi wrote:
>Umm... The routers in between Security gateways can fragment
> the packets and how does the receiving SG behave? One way
> to ensure that the routers in between don't fragment is by attaching
> DF bit by transmitting SG and handling of ICMP PMTU messages.
>
> You seem to be suggesting that there could be active IP ID hijacking
> and confuse the receiving router and make SG to discard valid
> packets. Isn't this problem such a big problem? If so, majority of
> applications should fail.
>
> Also, if a hijacker can do this, why can't he/she spoof ICMP
> PMTU message to confuse the sender.
>
> Only other solution I could think of: Send the IP packet of length
> which is acceptable by all routers, I think it is around
>570 bytes or so.
> But performance is going to be very bad and I don't think it
>is acceptable.
>
> If this feature to be implemented, there should be a way to find out
> the maximum path MTU using some other method. One way I could
> think on top of my head is:
> Sending SG finds out the path MTU periodically by starting with
> 1500 byte packet and reducing the packet size until the receiver
> receives it successfully. Receiver once receives the packet should
> ACK it. Sender should wait for some time before it reduces the packet
> size. Even this protocol also should be protected from
>hijacker in the middle.
>
> Thanks
> Ravi
>
Ravi,
I can't understand what you are trying to say above. the wording is
just too confusing. try again.
Steve