On Thu, May 10, 2018 at 10:21 PM, Paul Wouters wrote:
> On Thu, 10 May 2018, Shibu wrote:
>
> PMTUD over IKE is needed anyways for large IKE cert payloads
>>
>
> I don't agree. We can handle these with fragmentation now just fine.
>
>
IKE Fragmentation internally utilize an MTU value - either
On Thu, 10 May 2018, Shibu wrote:
PMTUD over IKE is needed anyways for large IKE cert payloads
I don't agree. We can handle these with fragmentation now just fine.
However, one caveat with above approach is that there is an implicit assumption
that paths for control and data traffic
are
Shibu wrote:
> PMTUD over IKE is needed anyways for large IKE cert payloads, so if we do
> PMTUD over IKE, we could depend upon the same discovered MTU value for
ESP
> paths as well as a guidance value. This seems to work for most of the
> cases, and there
Shibu writes:
> With SDWAN use cases (wherein paths could be orchestrated based on proto,
> port, QoS, App ID etc), would it be a precise assumption to make? How would
> we handle these cases when the paths are build for ESP and IKE differently?
If the ESP and IKEv2 packates do not follow the
Hello Tero and all,
We discussed internally among the authors and it looks there exist 3
choices - to do PMTUD over IKE, or ESP or both. (Many reviewers have
already pointed out these at various stages, just collating them here).
PMTUD over IKE is needed anyways for large IKE cert payloads, so
On Fri, 13 Apr 2018, Tero Kivinen wrote:
Paul Wouters writes:
Using IKE also has a disandvantage for for those implementations that
only support a window size of one. If those IKE messages are lost -
which is highly likely because we are trying out larger window sizes
until we find something
Paul Wouters writes:
> Using IKE also has a disandvantage for for those implementations that
> only support a window size of one. If those IKE messages are lost -
> which is highly likely because we are trying out larger window sizes
> until we find something that works - things get tricky (even
Ron Bonica writes:
> In 99.9% of cases you are probably correct. If there is an ECMP
> between the encrypting node and the decrypting node, all ECMPs have
> the same PMTU.
Is it 99.9%, or 99.%?
> And because this is true in such a vast majority of cases, none of
> us have seen a situation
Ron Bonica writes:
> Hi Valery,
>
> I am thinking like this...
>
> - If we do nothing, tunnel performance is acceptable but
> suboptimal. We can prevent blackholing by statically configuring
> the tunnel MTU to a sufficiently low value. However, we cannot
> take advantage of tunnels
On Wed, 11 Apr 2018, Ron Bonica wrote:
- If we do nothing, tunnel performance is acceptable but suboptimal. We can
prevent blackholing by statically configuring the tunnel MTU to a sufficiently
low value. However, we cannot take advantage of tunnels with larger PMTUs.
- If we use IKE to
>Ron
>
>
> > -Original Message-
> > From: Valery Smyslov <smyslov.i...@gmail.com>
> > Sent: Tuesday, April 10, 2018 2:57 AM
> > To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson'
m>
> Sent: Tuesday, April 10, 2018 2:57 AM
> To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson'
> <mcr+i...@sandelman.ca>
> Cc: ipsec@ietf.org
> Subject: RE: [IPsec] PLMTUD probes for IPsec
>
> Hi Ron,
>
> > Both good points. So, it appears that
Valery Smyslov writes:
> > Both good points. So, it appears that we have the following choices:
> >
> > - leverage IKE for exchanging probes and acks (But risk sending probes and
> > acks over a different path than
> > encrypted data)
> > - send probes and acks in-band. Try UDP probes first. If
From: Valery Smyslov <smyslov.i...@gmail.com>
> > Sent: Friday, April 6, 2018 3:24 AM
> > To: Ron Bonica <rbon...@juniper.net>; 'Michael Richardson'
> > <mcr+i...@sandelman.ca>
> > Cc: ipsec@ietf.org
> > Subject: RE: [IPsec] PLMTUD probes for IPsec
>
> > -Original Message-
> > From: Michael Richardson <mcr+i...@sandelman.ca>
> > Sent: Thursday, April 5, 2018 11:09 AM
> > To: Valery Smyslov <smyslov.i...@gmail.com>
> > Cc: ipsec@ietf.org; Ron Bonica <rbon...@juniper.net>
> > Subject:
rbon...@juniper.net>
> Subject: Re: [IPsec] PLMTUD probes for IPsec
>
>
> Valery Smyslov <smyslov.i...@gmail.com> wrote:
> >> > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica
> >> > https://datatracker.ietf.org/meeting/101/material
Valery Smyslov wrote:
>> > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica
>> >
https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu-
>> discovery-01
>>
>> > Problem: IPsec Tunnel has an PMTU as
Hi Paul,
> > Why IKE messages cannot be used for this purpose?
>
> IKE messages might not take the same path, eg ESP goes through hardware
> offload or other things, or intermediary routers might have different
> rules for UDP vs ESP.
True, unless UDP encapsulation is used...
Regards,
Valery.
On Thu, 5 Apr 2018, Valery Smyslov wrote:
Why IKE messages cannot be used for this purpose?
IKE messages might not take the same path, eg ESP goes through hardware
offload or other things, or intermediary routers might have different
rules for UDP vs ESP.
Paul
Hi Michael,
> > Dynamic IPsec PMTU PLPMTUD - Shibu Piriyath, Ron Bonica
> >
> https://datatracker.ietf.org/meeting/101/materials/slides-101-ipsecme-packetization-layer-path-mtu-
> discovery-01
>
> > Problem: IPsec Tunnel has an PMTU as any other tunnel.
> > Solution in Transport
20 matches
Mail list logo