[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: mcr@sandelman.ottawa.on.ca
Subject: Re: [Ipsec] big IKE packets
From: Paul Koning <pkoning@equallogic.com>
Date: Tue, 31 Aug 2004 15:40:51 -0400
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL><16035.1093979493@marajade.sandelman.ottawa.on.ca>
Sender: ipsec-bounces@ietf.org

>>>>> "Michael" == Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:

 Paul> If we're not satisfied with how IP does fragmentation, wouldn't
 Paul> it be more reasonable to use TCP -- which handles large packets
 Paul> the right way?

 Michael> There are two problems with how IP does fragmentation, and
 Michael> they aren't about IP itself.  1) fragments are hard for
 Michael> firewalls to filter, so they get lost.  2) fragment
 Michael> reassembly under fragment DOS is often not very fruitful.

 Michael> (And then there is the IPv6 situation. IPv6 just tells you
 Michael> to do go the right PMTU yourself, or fragment yourself. This
 Michael> method can get us the PMTU)

True.

 Paul> I dislike inventing new protocols to address previously solved
 Paul> problems.

 Michael> We could have an option to run over TCP.  But, consider if
 Michael> one is doing IPsec in the first place to protect TCP
 Michael> management sessions. Ooops.

So?  That's no more an issue than it is for UDP.  A TCP IKE session
would not go through IPsec, just like port 500 UDPgrams don't use
IPsec. 

       paul


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- [Ipsec] HASH and URL
  - From: suren <suren@intotoinc.com>
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread