Hi (as an individual contributor) So this is IPsec tunnel mode which is commonly used for VPN, which means that one of parties are quite likely behind a NAT or at least a firewall. Thus, relying on IP fragmentation is likely to mean, all fragmented packets dropped on the floor by the middlebox. Especially when using IP/UDP/ESP for NAT traversal.
Also, the segmentation mechanism that ROHC has is currently defined to be turned off. The ROHC people can fill in the motivation for that. One is clearly the need to keep state in the tunnel end-points for reassembly. So options in this space seems to be: For the next 3 options I assume that ingress will discard packet and send ICMP back if the packet is larger than the ROHC MTU set and has DF set. 1. Set an commonly supported ROHC MTU and rely on IP fragmentation to handle the few packet that gets expanded beyond the underlying MTU. However, middleboxes makes it unlikely that this will work and lossing the packets that gets expanded means failure to establish ROHC state needed for the rest of the packets => 100% losses 2. Set a commonly supported ROHC MTU for the tunnel and use ROHC segmentation to handle the packets that gets expanded beyond PMTUD. Increased loss rate for important state establishing packets. Not certain that the ROHC segmentation mechanism can work over reordering transports. 3. Set ROHC MTU value to safe enough value that also packet expansion has room within the underlying MTU. Reduced the gain of ROHC as the byte savings are offset by increased packet overhead. 4. On packet basis see if fits and any packet with DF set which after ROHC processing doesn't fit underlying MTU will be discarded. Will result in varying values for the supported MTU being sent back by ICMP. Affects either implementation complexity by rolling back state or reduces error robustness by discarding encoded packets. Are there more options? Cheers Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: [email protected] ----------------------------------------------------------------------
