[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:[Ipsec] big IKE packets
Hi,
Is the certificate only issue in fragmentation? Based
on my quick read of IKEv2 specification, there are some
scenarios, where the packet size can be more than the PMTU
value of the path. If there are multiple networks behind
gateways and with different services, the TS payload itself
can become bigger. I did not in the document that, the
payload size should be limited to 'N' number of Traffic
Selectors.
I feel that, we need to solve the problem completely,
rather than fixing the problem only for certificates.
Some how, I think that running IKE over TCP would be
good as TCP internally takes care of adjusting its MSS based
on PMTU values.
Ravi
----- Original Message -----
From: "Tero Kivinen" <kivinen@iki.fi>
To: "Michael Richardson" <mcr@sandelman.ottawa.on.ca>
Cc: <ipsec@lists.tislabs.com>; <pki4ipsec@honor.icsalabs.com>
Sent: Wednesday, September 01, 2004 3:20 AM
Subject: [Ipsec] big IKE packets
> Michael Richardson writes:
> > I wonder if one solution to the problem of large IKE
packets
> > (that require fragmentation) wouldn't be to define a
fragmentation
> > header in IKE.
>
> There is also such method, it is called IP. The IP
packets already
> offers fragmentation, why should we do it again on the
IKE level?
>
> If the operating system vendor who implemented IP stack
didn't know
> how to make the fragmentation, how can you expect him to
be able to
> make IKE fragmentation to the IPsec stack of the OS?
>
> The only difference would be the separate acks for
fragments, but I do
> not think this fragmentation in IKE would really help, as
it just adds
> one more complicated option, and I think people would be
leaving the
> implementation of it out from their products.
>
> The HTTP transfer of certificates is much better sulution
for that.
> --
> kivinen@safenet-inc.com
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec