[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] big IKE packets
> There are two problems with how IP does fragmentation, and they aren't
> about IP itself.
> 1) fragments are hard for firewalls to filter, so they get lost.
Can't modern firewalls tag the initial segment's ID, and let matching IDs
through? I know there's packet reordering and implementations that send the
last fragment first, but the former is relatively rare, and the latter can be
fixed.
> (And then there is the IPv6 situation. IPv6 just tells you to do go
> the right PMTU yourself, or fragment yourself. This method can get us
> the PMTU)
And IPv4 can be configured to act just like IPv6 in this regard. Our IP, for
example, sets the DF bit by default on outbound packets.
> Paul> I dislike inventing new protocols to address previously solved
> Paul> problems.
I agree with Paul 100%. Let's not reinvent the wheel more than we have to in
IKEv2.
Dan
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec