Hi Valery,
thanks for the update. A question about some text that's not new to -03:
Quoting from Sec. 2:
If Responder receives IKE Fragment Message after it received,
successfully verified and processed regular message with the same
Message ID, it means that response message didn't reach Initiator and it
activated IKE Fragmentation. If Fragment Number in Encrypted Fragment
Payload in this message is equal to 1, Responder MUST fragment its
response and retransmit it back to Initiator in fragmented form.
I think the MUST in the second sentence is incorrect. Assume the sender
switched to fragmented form, but the responder knows that it sent a very
short response. The response got lost, but this is unrelated to
fragmentation. So the responder should simply retransmit it as-is, and
there's no reason to fragment it.
Also I'm not happy with the first part of the new text (last paragraph
of Sec. 2), which adds complexity for both sender and responder. The
sender must ensure that when it re-fragments the message, the fragment
count is indeed higher (so it cannot use a simple table of possible
fragment sizes). And the receiver must add the number of fragments into
its IKE-level retransmit logic. I understand why this might be needed
sometimes, but is the added flexibility (allowing to retry different
fragment sizes) worth the complexity?
Thanks,
Yaron
On 4.10.2013 15:56, Valery Smyslov wrote:
Hi all,
I've just posted new version of IKEv2 Fragmentation draft.
Comparing with -02 version it clarifies Initiator's behaviour
with regard to retransmissions.
Regards,
Valery Smyslov.
----- Original Message ----- From: <[email protected]>
To: <[email protected]>
Cc: <[email protected]>
Sent: Friday, October 04, 2013 4:35 PM
Subject: [IPsec] I-D Action:
draft-ietf-ipsecme-ikev2-fragmentation-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the IP Security Maintenance and
Extensions Working Group of the IETF.
Title : IKEv2 Fragmentation
Author(s) : Valery Smyslov
Filename : draft-ietf-ipsecme-ikev2-fragmentation-03.txt
Pages : 20
Date : 2013-10-04
Abstract:
This document describes the way to avoid IP fragmentation of large
IKEv2 messages. This allows IKEv2 messages to traverse network
devices that don't allow IP fragments to pass through.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-fragmentation
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-fragmentation-03
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-ikev2-fragmentation-03
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
