Valery Smyslov writes: > Draft introduces IKE-level fragmentation to avoid IP fragmentation > whenever possible and to only let it be if it is impossible.
Actually the first preference is to use IP fragmentation, and if that works, it is what we use, and we do not try IKE fragmentation at all. Only if the large packets do not go through then we try to enable IKE fragmentation and so on... So all of this draft is used only if there is some device on the path that will drop at least some fragments somewhere. And yes, we might miscategorize some network errors as IP fragments getting lost, as we have no indication from the network whether the packet was lost because it got fragmented on the IP level, or for some reasons. There is no way IKEv2 could even get that information, so we assume that if multiple full size retransmission of IKEv2 packets are lost, then there might be fragmentation issue, and we enable IKE fragmentation. > But if it is unavoidable, then there are more chances for IKE to > work if IP fragments exist only on the part of the path, i.e. when > fragmentation is done by intermediate device. Yep. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec