[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:[Ipsec] big IKE packets

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re:[Ipsec] big IKE packets
From: Ravi Kumar <ravivsn@rocsys.com>
Date: Thu, 02 Sep 2004 10:50:59 +0530
Cc: ipsec@lists.tislabs.com, pki4ipsec@honor.icsalabs.com
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830


Hi,
     Is the certificate only issue in fragmentation? Based 
on my quick read of IKEv2 specification, there are some 
scenarios, where the packet size can be more than the PMTU 
value of the path.  If there are multiple networks behind 
gateways and with different services, the TS payload itself 
can become bigger. I did not in the document that, the 
payload size should be limited to 'N' number of Traffic 
Selectors.

     I feel that, we need to solve the problem completely, 
rather than fixing the problem only for certificates.

     Some how, I think that running IKE over TCP would be 
good as TCP internally takes care of adjusting its MSS based 
on PMTU values.

Ravi

----- Original Message -----
From: "Tero Kivinen" <kivinen@iki.fi>
To: "Michael Richardson" <mcr@sandelman.ottawa.on.ca>
Cc: <ipsec@lists.tislabs.com>; <pki4ipsec@honor.icsalabs.com>
Sent: Wednesday, September 01, 2004 3:20 AM
Subject: [Ipsec] big IKE packets


 > Michael Richardson writes:
 > > I wonder if one solution to the problem of large IKE 
packets
 > > (that require fragmentation) wouldn't be to define a 
fragmentation
 > > header in IKE.
 >
 > There is also such method, it is called IP. The IP 
packets already
 > offers fragmentation, why should we do it again on the 
IKE level?
 >
 > If the operating system vendor who implemented IP stack 
didn't know
 > how to make the fragmentation, how can you expect him to 
be able to
 > make IKE fragmentation to the IPsec stack of the OS?
 >
 > The only difference would be the separate acks for 
fragments, but I do
 > not think this fragmentation in IKE would really help, as 
it just adds
 > one more complicated option, and I think people would be 
leaving the
 > implementation of it out from their products.
 >
 > The HTTP transfer of certificates is much better sulution 
for that.
 > --
 > kivinen@safenet-inc.com
 >
 > _______________________________________________
 > Ipsec mailing list
 > Ipsec@ietf.org
 > https://www1.ietf.org/mailman/listinfo/ipsec



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- [Pki4ipsec] Re:[Ipsec] big IKE packets
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: [Ipsec] big IKE packets
Next by thread: [Pki4ipsec] Re:[Ipsec] big IKE packets
Index(es):
- Date
- Thread