On Thu, 10 May 2018, Shibu wrote:
PMTUD over IKE is needed anyways for large IKE cert payloads
I don't agree. We can handle these with fragmentation now just fine.
However, one caveat with above approach is that there is an implicit assumption that paths for control and data traffic are same (i.e. IP based, 3 tupple paths). With SDWAN use cases (wherein paths could be orchestrated based on proto, port, QoS, App ID etc), would it be a precise assumption to make? How would we handle these cases when the paths are build for ESP and IKE differently?
Right. UDP 4500 packets not starting with 4 zero bytes could be handled differently. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec