Ron Bonica writes: > In 99.9% of cases you are probably correct. If there is an ECMP > between the encrypting node and the decrypting node, all ECMPs have > the same PMTU.
Is it 99.9%, or 99.9999%? > And because this is true in such a vast majority of cases, none of > us have seen a situation where one ECMP has a larger PMTU than then > next. If none has not yet been seen it is much closer to 100% than 99.9%. Depending of course how many setups people have seen... > However, we still need to be prepared for that rare situation where > one ECMP does have a greater PMTU that the next. Although black > swans are rare, they bite very hard! There is also option to say that network is so broken that we fall back to IPsec over TCP, and in that case both ESP and IKE packets go inside same TCP stream and MTU discovery is done simlarly for both, so things work. I.e., that might be acceptable solution for those rare really broken cases. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
