On Thu, May 10, 2018 at 10:21 PM, Paul Wouters <[email protected]> wrote:
> On Thu, 10 May 2018, Shibu wrote: > > PMTUD over IKE is needed anyways for large IKE cert payloads >> > > I don't agree. We can handle these with fragmentation now just fine. > > IKE Fragmentation internally utilize an MTU value - either the lowest MTU or the one discovered via PMTUD. If we use the lowest value of 1280 (say for v6) most of the link capacity (9k jumbo frames) is under utilized. This will have adverse effect on tunnel setup rate also. I think, PMTUD complements the IKE fragmentation use case, not the other way around, Isn't it ? However, one caveat with above approach is that there is an implicit >> assumption that paths for control and data traffic >> are same (i.e. IP based, 3 tupple paths). >> With SDWAN use cases (wherein paths could be orchestrated based on proto, >> port, QoS, App ID etc), would it be a precise >> assumption to make? How would we handle these cases when the paths are >> build for ESP and IKE differently? >> > > Right. UDP 4500 packets not starting with 4 zero bytes could be handled > differently. > > Thanks, Shibu.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
