While working on 802.15.9, Tero and I discussed this. IKEv1 allowed for
REALLY BIG cert chains and had lots or problems even without NATs.
IKEv2 is more restrictive such that we designed 15.9 worst case
frag/reassem to be 24KB (more than enough per Tero):
"4.7 KMP Payload Size
As the MP Data layer allows a KMP payload to be fragmented up to 256
fragments, this means that even if
the PHY is using 127 octet PSDUs (96 octets effective fragment size),
this recommended practice can use
KMP payloads up to 24 576 octets."
If you design a UDP service that supports 32 fragments (5 bit counter),
you can support payloads of ~15KB.
On 03/29/2016 03:50 AM, Miika Komu wrote:
Hi Samu,
On 03/26/2016 03:16 AM, Tom Henderson wrote:
On 03/25/2016 03:49 PM, Derek Fawcus wrote:
Recently I've been working on middlebox s/w: Firewalls and NAT.
One thing this has brought home to me is just how unreliable
fragmentation is on the current Internet. NAT will often simply
break it (such that they can not be reassembled) or just discard
them, and firewalls are often set up to block them.
As such, almost every protocol now would seem to need protocol
level segmentation/fragmentation, rather than depend up IP level
fragmentation.
It struck me that it should be quite simple to extend HIP to
support such.
1) Add a Controls bit which advertises that the sender supports
segmentation. 2) Define a new parameter, numbered 1 such that it
is first in the parameters, and is critical. Within the parameter
have a seqno/identifier, offset and more segments / final segment
bit, possibly also a total size field. Define some simple
reassembly rules, similar to those for IP fragments, such that one
could reassemble a HIP packet larger than 2008 bytes if desired
(how big?). 3) Possibly also define a none critical parameter
within the non signed, non MACed range which advertises the max
size packet the sender is willing to reassemble. In fact I guess
this might remove the need to use a Controls bit, since it would
imply the sender can reassemble.
Then have a rule that once one party has seen the other party
advertise the segmentation capability within the current BEX
session, it is free to make use of segmentation towards that peer.
Thoughts?
DF
Hi Derek, I don't remember the details, but in the early days of HIP,
it was decided to avoid the burden of supporting fragmentation. I
guess I'd prefer to see some evidence that HIP messages are being
fragmented in the wild before starting a work effort to add support.
do you recall how long a typical X.509 certificate can get?
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
