[IPsec] Some comments to the draft-smyslov-ipsecme-ikev2-fragmentation-01

Tero Kivinen <kivinen@iki.fi> Thu, 18 April 2013 11:09 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2530621F8EBF for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5RHhX8mwMxc for <ipsec@ietfa.amsl.com>; Thu, 18 Apr 2013 04:09:13 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56F7E21F8EAD for <ipsec@ietf.org>; Thu, 18 Apr 2013 04:09:13 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r3IB7tw5003669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Apr 2013 14:07:55 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r3IB7s0Z009000; Thu, 18 Apr 2013 14:07:54 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20847.54282.823646.681134@fireball.kivinen.iki.fi>
Date: Thu, 18 Apr 2013 14:07:54 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: svan@elvis.ru
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 5 min
X-Total-Time: 9 min
Cc: ipsec@ietf.org
Subject: [IPsec] Some comments to the draft-smyslov-ipsecme-ikev2-fragmentation-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 11:09:14 -0000

In picture in the "2.5. Fragmenting Message" there is field called
"Next Payload", but the description says "Next Fragment":

----------------------------------------------------------------------
                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Payload  |C|  RESERVED   |         Payload Length        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
   o  Next Fragment (1 octet) - in the very first fragment MUST be set
      to Payload Type of the first inner Payload (as in Encrypted
      Payload).  In the rest fragments MUST be set to zero.
----------------------------------------------------------------------

In section 2.5.1 draft says:
----------------------------------------------------------------------
                      Using 576 bytes is a compromise - the value is
   large enough for the presented solution and small enough to avoid IP
   fragmentation in most situations.  Sender MAY use other values if
   they are appropriate.
----------------------------------------------------------------------

I think you might also point out that other protocols also assume that
same value, i.e. I think DNS packets sent over UDP also assume that
same limit, and if that long IP packets do not work, then the network
does not work for any real uses...
-- 
kivinen@iki.fi