A general comment: I think we already decided in the WG that we will go with the tcp approach, not with this fragmentation layer in the IKEv2. Why do we have this document here?
Some other comments In section 2.5 the header contains "Total Framgments" field. This means the initiator must decide the number of framents it is sending out in the beginning, i.e. it cannot dynamically adjust this if it sees that it is sending so long fragments that they get lost. It would be better to use standard way of doing this, i.e. sending the offset to the start of the fragment, and some kind of indication whether this was last fragment or not. Also it is not clear how retransmission is done here at all. I assume we will send all fragments in case of the retransmission, but again we cannot adjust the fragment size to be smaller, even if we start to suspect that there is something between which is eating our fragments. Only way to do that would be to delete the IKE SA and start over with lower fragment size parameter (as it is possible that the responder did got some of the fragments, for example last one, which was small enough, and as we only have fragment number, not offset we cannot know at which offset that packet belongs to). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
