IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-fragmentation-03.txt

Tero Kivinen <kivinen@iki.fi> Thu, 10 October 2013 12:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A3411E8165 for <ipsec@ietfa.amsl.com>; Thu, 10 Oct 2013 05:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Os363DmFCLQW for <ipsec@ietfa.amsl.com>; Thu, 10 Oct 2013 05:59:54 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 2D81A21E8103 for <ipsec@ietf.org>; Thu, 10 Oct 2013 05:59:31 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id r9ACxLxB007316 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 10 Oct 2013 15:59:21 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id r9ACxKL2010598; Thu, 10 Oct 2013 15:59:20 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21078.42152.502994.298696@fireball.kivinen.iki.fi>
Date: Thu, 10 Oct 2013 15:59:20 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <5256426B.4030707@gmail.com>
References: <20131004123552.12797.87073.idtracker@ietfa.amsl.com> <44D6A1836A274C98907D95D59E530FE6@buildpc> <524EC6D8.9040006@gmail.com> <8B0A76CCEF2F4C65A9101BBD717B5C0F@buildpc> <alpine.LFD.2.10.1310041144500.10965@bofh.nohats.ca> <E46CD124E88F442495758F38BC026897@chichi> <alpine.LFD.2.10.1310081048530.7675@bofh.nohats.ca> <1B20E03AB216428AA7F16B898AA49FFD@buildpc> <5256426B.4030707@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Cc: ipsec@ietf.org, Valery Smyslov <svanru@gmail.com>, Paul Wouters <paul@cypherpunks.ca>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-fragmentation-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2013 12:59:56 -0000

Yaron Sheffer writes:
> I'm even more worried that if we use small fragments, reliability will 
> deteriorate. Because we do not have per-packet acknowledgement, and so 
> if any fragment is dropped, the whole message must be resent. This is 
> probably a greater risk in mobile networks.

The fix there is to use IP level fragmentation... And only switch to
use small IKEv2 level fragmented packets if that does not work. This
whole protocol is only needed on the broken networks, so it does not
matter if it is very suboptimal, as we can always say that if you
enable fragmentation support on your devices, things will work
better.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email