On Wed, 11 Apr 2018, Ron Bonica wrote:
- If we do nothing, tunnel performance is acceptable but suboptimal. We can
prevent blackholing by statically configuring the tunnel MTU to a sufficiently
low value. However, we cannot take advantage of tunnels with larger PMTUs.
- If we use IKE to exchange probes and acks, tunnel performance may become
totally unacceptable. In the situation where a) IKE messages traverse a
different path than encrypted payloads and b) the PMTU associated with the IKE
path is greater than the PMTU associated with encrypted payload path, we may
produce an inflated estimate of the Tunnel MTU. This may lead to black holing.
Using IKE also has a disandvantage for for those implementations that
only support a window size of one. If those IKE messages are lost -
which is highly likely because we are trying out larger window sizes
until we find something that works - things get tricky (even trickier
then the current liveness + mobike situation)
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
