Paul Wouters writes:
> On Mon, 7 Aug 2023, Tero Kivinen wrote:
>
> > Of course the optimal solution would be the original sender to not
> > send 2000 byte packets, but instead fragment the packet already
> > himself to 1300 bytes and 700 bytes, but that would require changes to
> > the
On Mon, 7 Aug 2023, Tero Kivinen wrote:
Of course the optimal solution would be the original sender to not
send 2000 byte packets, but instead fragment the packet already
himself to 1300 bytes and 700 bytes, but that would require changes to
the application and might not be that easy to do...
Paul Wouters writes:
> > You can't do that if DF=1, or IPv6.
> > You can form big ESP packets and then fragment them, even with IPv6.
> > DF=0 for IPv4 on ESP packets is good, until there is a firewall that cant
> > cope with fragments.
>
> Why does any of this even matter? The applications
Hi everyone,
Considering the various comments here is our understanding of the IKE PTB
status. The IKE PTB, in our view, is largely motivated by enabling the
egress interface to provide the EMTU_R to the ingress interface. This
results from the discussion with Joe Touch who references the
On Wed, Aug 2, 2023 at 11:28 AM Paul Wouters wrote:
> On Tue, 1 Aug 2023, Daniel Migault wrote:
>
> [The quoting got mangled in Daniel's message]
>
> > If an incoming Encrypted packet is larger than the Link MTU
> >
> >
> > How can than be? You mean you received an ESP or ESPinUDP that after
>
Michael Richardson writes:
[[PGP Signed Part:Signature made by expired key 808B70FBDDD0DD65 Michael Richardson
]]
Paul Wouters wrote:
>> > Or use IPTFS and set your own max packet size sufficiently low?
>>
>> I think that this is the killer app for IPTFS.
>>
> But of
On Thu, Aug 3, 2023 at 9:12 AM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> > Or use IPTFS and set your own max packet size sufficiently low?
> >>
> >> I think that this is the killer app for IPTFS.
> >>
>
> > But of course this means either IPTFS should be able to
Paul Wouters wrote:
>> > Or use IPTFS and set your own max packet size sufficiently low?
>>
>> I think that this is the killer app for IPTFS.
>>
> But of course this means either IPTFS should be able to auto-tune this,
> or else we end up with hardcoded configs that
Christian Hopps wrote:
> You're confusing inner and outer traffic here. When your egress
> endpoint decaps the tunnel traffic, and then that traffic won't fit on
> it's egress red link on your egress endpoint is going to send an ICMP
> too big message back to the ingress router
On Wed, Aug 2, 2023 at 9:17 PM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> Christian Hopps wrote: >> The ingress node
> >> encrypts this packet and adds the IPsec >> encapsulation, and this
> >> IPsec-processed packet is also larger than the >> Link MTU. The
> >>
ket)
> > are both used, but I feel they are the same thing.
> >
> > TLP (Tunnel Link Packet) and LTP (no definition) are both used, and I
> > think LTP is misspelled. In some cases, “IPsec encapsulated TTP” is
> > used, and I think it also means TLP.
> >
>
On Wed, Aug 2, 2023 at 9:17 PM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> Christian Hopps wrote: >> The ingress node
> >> encrypts this packet and adds the IPsec >> encapsulation, and this
> >> IPsec-processed packet is also larger than the >> Link MTU. The
> >>
; > LMAP extension. However, I would like to see a bit more
> > description of the whole system. How do I send path probes
> > to elicit these responses? Can I use ICMP ECHO inside the
> > tunnel, or do we need draft-colitti-ipsecme-esp-ping? If
Paul Wouters wrote:
>> Christian Hopps wrote: >> The ingress node
>> encrypts this packet and adds the IPsec >> encapsulation, and this
>> IPsec-processed packet is also larger than the >> Link MTU. The
>> ingress node fragments this IPsec-processed packet and >> sends all
On Tue, 1 Aug 2023, Daniel Migault wrote:
[The quoting got mangled in Daniel's message]
If an incoming Encrypted packet is larger than the Link MTU
How can than be? You mean you received an ESP or ESPinUDP that after
decrypting was too large for the
link you need to send the decrypted
On Wed, 2 Aug 2023, Michael Richardson wrote:
Christian Hopps wrote:
>> The ingress node encrypts this packet and adds the IPsec
>> encapsulation, and this IPsec-processed packet is also larger than the
>> Link MTU. The ingress node fragments this IPsec-processed packet and
>>
Christian Hopps wrote:
>> The ingress node encrypts this packet and adds the IPsec
>> encapsulation, and this IPsec-processed packet is also larger than the
>> Link MTU. The ingress node fragments this IPsec-processed packet and
>> sends all the fragments to the egress node.
“IPsec encapsulated TTP” is
used, and I think it also means TLP.
Regards & Thanks!
Wei Pan (潘伟)
From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Daniel
Migault
Sent: Wednesday, August 2, 2023 12:56 AM
To: Ben Schwartz
Cc: Harold Liu ;
ipsec@ietf.org
Subject: Re: [IPsec] -ikev
Psec [mailto:ipsec-boun...@ietf.org] On Behalf Of Daniel Migault
Sent: Wednesday, August 2, 2023 12:56 AM
To: Ben Schwartz
Cc: Harold Liu ; ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben,
Just trying to position our understanding of the position between the ICMP
ent: Monday, July 31, 2023 12:10 PM
To: Ben Schwartz
Cc: Harold Liu ;
ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben, Please see my comments. On Mon, Jul 31, 2023 at
10: 47 AM Ben Schwartz wrote: Hi Harol
Paul Wouters wrote:
> On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>>
>> Hi Ben, Just trying to position our understanding of the position
>> between the ICMP PTB and the IKE PTB. If an incoming Encrypted packet
>> is larger than the Link MTU
> How can than be?
Hi Paul,
Please see my response in line.
Yours,
Daniel
On Tue, Aug 1, 2023 at 2:15 PM Paul Wouters wrote:
> On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>
>
>
>
> Hi Ben,
>
> Just trying to position our understanding of the position between the ICMP
> PTB and the IKE PTB.
>
> If an
On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>
>
> Hi Ben,
> Just trying to position our understanding of the position between the ICMP
> PTB and the IKE PTB.
> If an incoming Encrypted packet is larger than the Link MTU
How can than be? You mean you received an ESP or ESPinUDP that
de the tunnel, or do we
>> need draft-colitti-ipsecme-esp-ping? If we have path probes, why not just
>> set DF=1 on the outer header for PMTUD?
>>
>> --Ben Schwartz
>> --
>> *From:* Daniel Migault
>> *Sent:* Monday, July 31, 2023 12:10 PM
D I-D.spiriyath-ipsecme-dynamic-ipsec-pmtu for ESP is another path,
> but it would take a lot of effort.
>
> Yours,
> Daniel
>
>
> --Ben SchwartzI-D.spiriyath-ipsecme-dynamic-ipsec-pmtu
> ------
> *From:* Harold Liu
> *Sent:* Sunday, July 30, 2023 9:28
artz
Cc: Harold Liu ; ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben, Please see my comments. On Mon, Jul 31, 2023 at 10: 47 AM Ben Schwartz
wrote: Hi Harold, It sounds like you're describing a
different problem. Daniel mentioned a concern about cases in w
> --Ben SchwartzI-D.spiriyath-ipsecme-dynamic-ipsec-pmtu
> --
> *From:* Harold Liu
> *Sent:* Sunday, July 30, 2023 9:28 PM
> *To:* Ben Schwartz ; Daniel Migault
> *Cc:* ipsec@ietf.org
> *Subject:* RE: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
rdinary IP fragmentation and PMTUD.
--Ben Schwartz
From: Harold Liu
Sent: Sunday, July 30, 2023 9:28 PM
To: Ben Schwartz ; Daniel Migault
Cc: ipsec@ietf.org
Subject: RE: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Ben, thanks for your comment. Yes at the beginning
error responses.
Brs
From: IPsec On Behalf Of Ben Schwartz
Sent: Saturday, July 29, 2023 8:01 AM
To: Daniel Migault
Cc: ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
+mailing list (oops)
I think I understand the difficulty here. In IPv6, a "maximum reasse
8, 2023 10:47 AM
To: Ben Schwartz
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
I see the next link as being the network behind the egress security gateway in
which case the paquet would be the clear text packet. In that case maybe we
could expect a ICMP PTB being sent to
30 matches
Mail list logo