Valery Smyslov writes: > my concern is that these MODP groups will have public keys of 1.5-2 > Kb in size, so it can make using them problematic in real world due > to fragmentation issues...
In most of those cases the uses are not really road warriors or similar setups, but more in a line of SGW between two offices, and the network can often be required to behave properly. I.e., if your companies ISP drops all fragments, better switch to another ISP or complain to ISP and require them to fix the issue. This is very different than normal cases where there is no point of trying to get big udp packets through the hotel captive portal, or nat etc. We were mostly able to get IKE work with certificates and so even before IKE fragmentation with similar packet sizes, and we do have text in section 2 of the RFC7296 which says that implementation SHOULD work with 3000 octets long packets: All IKEv2 implementations MUST be able to send, receive, and process IKE messages that are up to 1280 octets long, and they SHOULD be able to send, receive, and process messages that are up to 3000 octets long. This of course does not mean that long packets work through your network, but in SGW <-> SGW setting that can quite often be taken care of. IKEv2 implementations themselves should still work with such packets if the network work. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
