[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: [Ipsec] big IKE packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 31 Aug 2004 15:11:33 -0400
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
In-reply-to: Message from Paul Koning <pkoning@equallogic.com> of "Tue,31 Aug 2004 15:00:35 EDT."<16692.51923.636395.47486@gargle.gargle.HOWL>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
    Michael> I.e. an IKEv2 payload which contains a sequence number,
    Michael> into which fragments of another IKEv2 payload could be
    Michael> placed.

    Michael> The sender would be responsible for making sure that all
    Michael> fragments get sent (since each would be ACK'ed in some way
    Michael> by the receiver).

    Paul> If we're not satisfied with how IP does fragmentation,
    Paul> wouldn't it be more reasonable to use TCP -- which handles
    Paul> large packets the right way?

  There are two problems with how IP does fragmentation, and they aren't
about IP itself.
      1) fragments are hard for firewalls to filter, so they get lost.
      2) fragment reassembly under fragment DOS is often not very
	 fruitful.

  (And then there is the IPv6 situation. IPv6 just tells you to do go
the right PMTU yourself, or fragment yourself. This method can get us
the PMTU)

    Paul> I dislike inventing new protocols to address previously solved
    Paul> problems.

  We could have an option to run over TCP.
  But, consider if one is doing IPsec in the first place to protect 
TCP management sessions. Ooops.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTTNZIqHRg3pndX9AQFzJgP/WtGADQ+ls9fUAz5ynZQymKRMwOEkDcu1
3hj3oxdTH/v6vPgR6w4pCZ9AUItqcElgGFD0TCmgxfticJdNZ61jJrr3JDxNf9Fm
EB8xzHl/sFwlCXD3lu4a6XNzws8cMSXtglHrt8gwcMlh6MQDtyzPjEVZTHYUzJtM
xqV5GaqF3Gk=
=6u0k
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Dan McDonald <danmcd@east.sun.com>

References:
- [Ipsec] HASH and URL
  - From: suren <suren@intotoinc.com>
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread