[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets

To: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
Subject: Re: [Ipsec] big IKE packets
From: Dan McDonald <danmcd@east.sun.com>
Date: Tue, 31 Aug 2004 16:06:27 -0400
Cc:
In-reply-to: <16035.1093979493@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
References: <1093975729.2123.47.camel@suren><14803.1093977688@marajade.sandelman.ottawa.on.ca><16692.51923.636395.47486@gargle.gargle.HOWL><16035.1093979493@marajade.sandelman.ottawa.on.ca>
Sender: ipsec-bounces@ietf.org
User-agent: Mutt/1.4.1i

>   There are two problems with how IP does fragmentation, and they aren't
> about IP itself.
>       1) fragments are hard for firewalls to filter, so they get lost.

Can't modern firewalls tag the initial segment's ID, and let matching IDs
through?  I know there's packet reordering and implementations that send the
last fragment first, but the former is relatively rare, and the latter can be
fixed.

>   (And then there is the IPv6 situation. IPv6 just tells you to do go
> the right PMTU yourself, or fragment yourself. This method can get us
> the PMTU)

And IPv4 can be configured to act just like IPv6 in this regard.  Our IP, for
example, sets the DF bit by default on outbound packets.

>     Paul> I dislike inventing new protocols to address previously solved
>     Paul> problems.

I agree with Paul 100%.  Let's not reinvent the wheel more than we have to in
IKEv2.

Dan

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- [Ipsec] HASH and URL
  - From: suren <suren@intotoinc.com>
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: [Ipsec] big IKE packets
  - From: Paul Koning <pkoning@equallogic.com>
- Re: [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: Re: [Ipsec] big IKE packets
Next by thread: Re: [Pki4ipsec] Re: [Ipsec] big IKE packets
Index(es):
- Date
- Thread