On Wed, 18 Sep 2013, Rajeshwar Singh Jenwar (rsj) wrote:
IKEv2 fragmentation is mostly used for large sized packets. There are use-cases when our implementation needs to send huge sized packet over IKEv2 control plane channel. On lossy network if one of the fragment is lost, using current draft, responder will not be able to reassemble IKEv2 packet, so initiator needs to re-transmit all the fragments again. If we are already going for integrity protected encryption for each fragment, is option of ACK response for each fragment using encrypted fragment payload has been investigated ? Using encrypted fragment payload for ACK for fragment, if some fragment are lost while retransmitting we can retransmit only those fragments for which we have not received ACK. The solution works well for time critical large size control packets, on the down side, it incurs ACK overhead for each fragment on networks where there is no packet loss.
Isn't it easier (and cheaper/faster) to jsut send all fragments again? The receiving hasn't thrown away its previosuly received fragments and can just discard the duplicate frames.
In constrained devices environment, need of fragmentation will be more as these networks can carry limited size of packet. More re-transmit on lossy and constraint devices will consume more battery too. At the same time these network are lossy in nature, so having an ACK mechanism for fragments make more sense.
I'd say it would take more resources to build up a new packet to request particular frames. Also in IKEv2, its really up to the initiator to re-send, so itshould jsut re-send all its frames while the responder just waits on the missing frames. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
