On Mon, 7 Aug 2023, Tero Kivinen wrote:
Of course the optimal solution would be the original sender to not send 2000 byte packets, but instead fragment the packet already himself to 1300 bytes and 700 bytes, but that would require changes to the application and might not be that easy to do...
And you think all these VPN gateways kernel stacks handling and tracking and communicating upstrean to IKE to relay the message will be easier? I think people will just put mtu=1300 in their VPN config, use this new notify and now we have yet another uncontrolled, unfixable hardcoded packet size that will never go away again. The problem really is "create a 2000 byte packet and expect it to go over the internet". Don't do that. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
