Hi, all,
I've reviewed the following doc for TSVDIR:
draft-amjads-ipsecme-ikev2-data-channel-00
Although this is not intended as a complete TSVDIR review, I have
checked for the typical issues.
Joe
-------------------------------------------------------------------
draft-amjads-ipsecme-ikev2-data-channel-00
This doc makes the case that IKEv2 can provide a secure data channel for
arbitrary communication, rather than being used (as designed) to
configure IPsec channels for that purpose.
This mechanism lacks congestion control, and so needs to be used only
where its load is known to be a small fraction of capacity. In specific,
IKE's window mechanism allows for increasing the window size but not
decreasing it, as is needed to react to network congestion.
The acknowledged data transfer mode uses IKE's window mechanism, which
is presumably set to a small value, and may result in very low
throughput. Attempts to increase this window size to overcome this
limitation can easily increase burstiness and network loss.
This mechanism includes its own fragmentation mechanism based on a
pre-configiured MTU, where it should use an adaptive size based on
PLMTUD (RFC4821). The mechanism described replicates that of IP, and so
introduces no new issues. Fragment reassembly appears to rely on the IKE
sequence number, and the relationship between the two should be more
clear, especially on the reuse of the IKE sequence number and how that
affects reassembly timeout.
---
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
