[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] big IKE packets



-----BEGIN PGP SIGNED MESSAGE-----


I wonder if one solution to the problem of large IKE packets
(that require fragmentation) wouldn't be to define a fragmentation
header in IKE.

I.e. an IKEv2 payload which contains a sequence number, into which
     fragments of another IKEv2 payload could be placed.

     The sender would be responsible for making sure that all fragments
     get sent (since each would be ACK'ed in some way by the receiver).

The only problem that I see is that the original payload will need some
kind of response, and so I wonder whether or not to include the IKE
header as well as the payload.

Original packet:
	 IP UDP IKE-header SK{CERT, AUTH, stuff}

new packets:
	 IP UDP IKE-header SK{Frag#1{CERT....}}
	    <- IP UDP IKE-header SK{FragAck#1}}	    
	 IP UDP IKE-header SK{Frag#2{AUTH....}}
	    <- IP UDP IKE-header SK{FragAck#2}}	    
	 IP UDP IKE-header SK{Frag#3{stuff...}}
	    <- IP UDP IKE-header SK{FragAck#3, AUTH, stuff}}	    

or perhaps:
	 IP UDP IKE-header SK{Frag#1{IKE-header', CERT....}}
	    <- IP UDP IKE-header SK{FragAck#1}}	    
	 IP UDP IKE-header SK{Frag#2{AUTH....}}
	    <- IP UDP IKE-header SK{FragAck#2}}	    
	 IP UDP IKE-header SK{Frag#3{stuff...}}
	    <- IP UDP IKE-header SK{FragAck#3}
	    <- IP UDP IKE-header' SK{AUTH, stuff}

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTTGU4qHRg3pndX9AQEhlQQA1MA58nYdEmjUSdW+bq4tFuht9llO8e7I
zR2ObFzsKzoADOZbxp1YtKO1DEhuNz8LFb9yYi+gHbJ1x6l+p8K5JylzsvrxwrU7
xh4mKYno2QGMKw8bfgaZsFTcDpdPkesqOJwVy3ugkxUNvVdAuRgy6M4DvoXaXvk0
PqpDph0rRUE=
=+9Qv
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec