Re: [Hipsec] Segmentation within HIP

Robert Moskowitz <> Tue, 29 March 2016 14:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43F2C12D885 for <>; Tue, 29 Mar 2016 07:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ld9oFAFwfgVF for <>; Tue, 29 Mar 2016 07:29:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D52C812D878 for <>; Tue, 29 Mar 2016 07:28:41 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4A53562269; Tue, 29 Mar 2016 10:28:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id cTE7wgM75mlF; Tue, 29 Mar 2016 10:28:13 -0400 (EDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 7715D62265; Tue, 29 Mar 2016 10:28:12 -0400 (EDT)
To: Miika Komu <>, Varjonen Samu <>
References: <> <>
From: Robert Moskowitz <>
Message-ID: <>
Date: Tue, 29 Mar 2016 10:28:09 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------000403060606030801090906"
Archived-At: <>
Subject: Re: [Hipsec] Segmentation within HIP
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Mar 2016 14:29:02 -0000

While working on 802.15.9, Tero and I discussed this.  IKEv1 allowed for 
REALLY BIG cert chains and had lots or problems even without NATs.  
IKEv2 is more restrictive such that we designed 15.9 worst case 
frag/reassem to be 24KB (more than enough per Tero):

"4.7 KMP Payload Size

As the MP Data layer allows a KMP payload to be fragmented up to 256 
fragments, this means that even if
the PHY is using 127 octet PSDUs (96 octets effective fragment size), 
this recommended practice can use
KMP payloads up to 24 576 octets."

If you design a UDP service that supports 32 fragments (5 bit counter), 
you can support payloads of ~15KB.

On 03/29/2016 03:50 AM, Miika Komu wrote:
> Hi Samu,
> On 03/26/2016 03:16 AM, Tom Henderson wrote:
>> On 03/25/2016 03:49 PM, Derek Fawcus wrote:
>>> Recently I've been working on middlebox s/w:  Firewalls and NAT.
>>> One thing this has brought home to me is just how unreliable
>>> fragmentation is on the current Internet.  NAT will often simply
>>> break it (such that they can not be reassembled) or just discard
>>> them,  and firewalls are often set up to block them.
>>> As such,  almost every protocol now would seem to need protocol
>>> level segmentation/fragmentation,  rather than depend up IP level
>>> fragmentation.
>>> It struck me that it should be quite simple to extend HIP to
>>> support such.
>>> 1) Add a Controls bit which advertises that the sender supports
>>> segmentation. 2) Define a new parameter,  numbered 1 such that it
>>> is first in the parameters,  and is critical. Within the parameter
>>> have a seqno/identifier, offset and more segments / final segment
>>> bit, possibly also a total size field.  Define some simple
>>> reassembly rules,  similar to those for IP fragments, such that one
>>> could reassemble a HIP packet larger than 2008 bytes if desired
>>> (how big?). 3) Possibly also define a none critical parameter
>>> within the non signed,  non MACed range which advertises the max
>>> size packet the sender is willing to reassemble.  In fact I guess
>>> this might remove the need to use a Controls bit,  since it would
>>> imply the sender can reassemble.
>>> Then have a rule that once one party has seen the other party
>>> advertise the segmentation capability within the current BEX
>>> session, it is free to make use of segmentation towards that peer.
>>> Thoughts?
>>> DF
>> Hi Derek, I don't remember the details, but in the early days of HIP,
>> it was decided to avoid the burden of supporting fragmentation. I
>> guess I'd prefer to see some evidence that HIP messages are being
>> fragmented in the wild before starting a work effort to add support.
> do you recall how long a typical X.509 certificate can get?
> _______________________________________________
> Hipsec mailing list