In yesterday's presentation of the -ikev2-mtu-dect draft, I was asked why do we have such a notification instead of using a standard ICMP PTB message encapsulated in ESP.
I believe the confusion comes from me saying that the PTB message is sent AFTER the packet has been decrypted. This is not the case as the PTB is sent BECAUSE the encrypted packet is too big and so cannot be decrypted. In other words the packet that is too big is the ESP packet. If the packet is too big and cannot be decrypted a Packet Too Big Notification (PTB) that specifies the Link MTU (LMTU) of the router component of the egress node (on network N) as well as the effective MTU to receive (EMTU_R). Both are configuration parameters. An ICMP PTB message may also be sent by the egress node. Note that this ICMP may not contain even the SPI, and so is likely to not carry sufficient information to the ingress node, so any action be taken. Typically the ICMP message only carries the first 8 bytes start from IP header of the original packets. This is not sufficient when encapsulated as the 8 bytes will not contain the SPI and the egress gateway will not be able to identify the concerned SA and so the concerned flow. Yours, Daniel -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
