On Thu, 10 May 2018, Shibu wrote:

PMTUD over IKE is needed anyways for large IKE cert payloads

I don't agree. We can handle these with fragmentation now just fine.

However, one caveat with above approach is that there is an implicit assumption 
that paths for control and data traffic 
are same (i.e. IP based, 3 tupple paths).
With SDWAN use cases (wherein paths could be orchestrated based on proto, port, 
QoS, App ID etc), would it be a precise 
assumption to make? How would we handle these cases when the paths are build 
for ESP and IKE differently?

Right. UDP 4500 packets not starting with 4 zero bytes could be handled
differently.

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to