[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Fwd: Re: Two IKEv2 issues from the IESG
Since Thomas is not a member of the IPsec WG mail list, this message will
probably sit in the spam queue indefinitely. I think the WG should see it
now. So, I am forwarding it.
Russ
>To: Russ Housley <housley@vigilsec.com>
>cc: ipsec@ietf.org, margaret@thingmagic.com
>Subject: Re: Two IKEv2 issues from the IESG
>Date: Thu, 02 Sep 2004 10:01:00 -0400
>From: Thomas Narten <narten@us.ibm.com>
>
>Russ Housley <housley@vigilsec.com> writes:
>
> > I suggest the addition of the following text:
>
> > "All IKEv2 implementations MUST be able to receive and process
> > packets that are up to 1280 bytes long, and they SHOULD be able
> > to receive and process packets that are up to 3000 bytes long."
>
>I don't see how the SHOULD is useful. The problem is that a sender has
>no way of knowing whether the other end supports the larger packet
>size. So, for interoperability, it can't try a size that large. If it
>does, it may well send packets into a black hole. This is a generic
>issue that has come up in many other protocols. It would be nice to
>send larger packets, but it turns out that there exist compliant
>implementations that don't support them, so one can't count on such
>packets being supported.
>
>Note, the key issue is what is the receiver mandated to be capable of
>accepting?
>
>Or, is there a way for IKE to respond to such packets with an error
>effectively saying "packet too big"? If so, then one could try a large
>packet, and negotiate a smaller value. That also works.
>
>Thomas
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec