[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] big IKE packets
>>>>> "Michael" == Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
Paul> If we're not satisfied with how IP does fragmentation, wouldn't
Paul> it be more reasonable to use TCP -- which handles large packets
Paul> the right way?
Michael> There are two problems with how IP does fragmentation, and
Michael> they aren't about IP itself. 1) fragments are hard for
Michael> firewalls to filter, so they get lost. 2) fragment
Michael> reassembly under fragment DOS is often not very fruitful.
Michael> (And then there is the IPv6 situation. IPv6 just tells you
Michael> to do go the right PMTU yourself, or fragment yourself. This
Michael> method can get us the PMTU)
True.
Paul> I dislike inventing new protocols to address previously solved
Paul> problems.
Michael> We could have an option to run over TCP. But, consider if
Michael> one is doing IPsec in the first place to protect TCP
Michael> management sessions. Ooops.
So? That's no more an issue than it is for UDP. A TCP IKE session
would not go through IPsec, just like port 500 UDPgrams don't use
IPsec.
paul
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec