I have reviewed this draft again.
I tihnk we should add bit more in to the introduction. I.e explain the
common case for this protocol is to fragment exactly ONE message pair
(IKE_AUTH), and those messages are most commonly around 500-3000 bytes
long.
For example to do proper PMTU for sending exactly one 3000 byte packet
is quite much overhead.
--
In section 2.6. Receiving IKE Fragment Message:
----------------------------------------------------------------------
* check that Fragment Number and Total Fragments fields are non-
zero
* check that Fragment Number field is less than or equal to Total
Fragments field
* if reassembling has already started, check that Total Fragments
field is equal to or greater than Total Fragments field in
fragments, that have already received
If either of this tests fails message MUST be silently discarded.
----------------------------------------------------------------------
Replace /If either of this tests/If any of these tests/.
----------------------------------------------------------------------
When all IKE Fragment Messages (as indicated in the Total Fragments
field) are received, content of their Encrypted Fragment Payloads is
decrypted and merged together to form content of original Encrypted
Payload, and, therefore, along with IKE Header and unencrypted
Payloads (if any), original message. Then it is processed as if it
was received, verified and decrypted as regular unfragmented message.
----------------------------------------------------------------------
This text might cause confusion as it talks that when we have all
fragments, we "...Encrypted Fragment Payloads is decrypted and merged
...", when actually the Encrypted Fragment Payloads are already
decrypted when we initially received them. So changing that to:
----------------------------------------------------------------------
When all IKE Fragment Messages (as indicated in the Total Fragments
field) are received, content of their already decrypted Encrypted
Fragment Payloads is merged together to form content of original
Encrypted Payload, and, therefore, along with IKE Header and
unencrypted Payloads (if any), original message. Then it is
processed as if it was received, verified and decrypted as regular
unfragmented message.
----------------------------------------------------------------------
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
