Paul Wouters writes:
> On Mon, 7 Aug 2023, Tero Kivinen wrote:
>
> > Of course the optimal solution would be the original sender to not
> > send 2000 byte packets, but instead fragment the packet already
> > himself to 1300 bytes and 700 bytes, but that would require changes to
> > the application
On Mon, 7 Aug 2023, Tero Kivinen wrote:
Of course the optimal solution would be the original sender to not
send 2000 byte packets, but instead fragment the packet already
himself to 1300 bytes and 700 bytes, but that would require changes to
the application and might not be that easy to do...
Paul Wouters writes:
> > You can't do that if DF=1, or IPv6.
> > You can form big ESP packets and then fragment them, even with IPv6.
> > DF=0 for IPv4 on ESP packets is good, until there is a firewall that cant
> > cope with fragments.
>
> Why does any of this even matter? The applications should
Hi everyone,
Considering the various comments here is our understanding of the IKE PTB
status. The IKE PTB, in our view, is largely motivated by enabling the
egress interface to provide the EMTU_R to the ingress interface. This
results from the discussion with Joe Touch who references the docume
On Wed, Aug 2, 2023 at 11:28 AM Paul Wouters wrote:
> On Tue, 1 Aug 2023, Daniel Migault wrote:
>
> [The quoting got mangled in Daniel's message]
>
> > If an incoming Encrypted packet is larger than the Link MTU
> >
> >
> > How can than be? You mean you received an ESP or ESPinUDP that after
> d
Michael Richardson writes:
[[PGP Signed Part:Signature made by expired key 808B70FBDDD0DD65 Michael Richardson
]]
Paul Wouters wrote:
>> > Or use IPTFS and set your own max packet size sufficiently low?
>>
>> I think that this is the killer app for IPTFS.
>>
> But of co
On Thu, Aug 3, 2023 at 9:12 AM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> > Or use IPTFS and set your own max packet size sufficiently low?
> >>
> >> I think that this is the killer app for IPTFS.
> >>
>
> > But of course this means either IPTFS should be able to
Paul Wouters wrote:
>> > Or use IPTFS and set your own max packet size sufficiently low?
>>
>> I think that this is the killer app for IPTFS.
>>
> But of course this means either IPTFS should be able to auto-tune this,
> or else we end up with hardcoded configs that might
cket
> > the egress
> > > interface is able to handle which includes the ability
> > to
> > > reassemble and decrypt the packet. In that sense, I see
> > > sending the EMTU_R as very similar to an ICMP PTB
> > except. I
&g
Christian Hopps wrote:
> You're confusing inner and outer traffic here. When your egress
> endpoint decaps the tunnel traffic, and then that traffic won't fit on
> it's egress red link on your egress endpoint is going to send an ICMP
> too big message back to the ingress router *i
On Wed, Aug 2, 2023 at 9:17 PM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> Christian Hopps wrote: >> The ingress node
> >> encrypts this packet and adds the IPsec >> encapsulation, and this
> >> IPsec-processed packet is also larger than the >> Link MTU. The
> >> ingr
> Yours,
> Daniel
>
>
> --Ben
SchwartzI-D.spiriyath-ipsecme-dynamic-ipsec-pmtu
>
> From: Harold Liu 40ericsson@dmarc.ietf.org>
> Sent: Sunday, July 30, 2023 9:28
imum Atomic Packet)
> > are both used, but I feel they are the same thing.
> >
> > TLP (Tunnel Link Packet) and LTP (no definition) are both used, and I
> > think LTP is misspelled. In some cases, “IPsec encapsulated TTP” is
> > used, and I think it also means TLP.
On Wed, Aug 2, 2023 at 9:17 PM Michael Richardson
wrote:
>
> Paul Wouters wrote:
> >> Christian Hopps wrote: >> The ingress node
> >> encrypts this packet and adds the IPsec >> encapsulation, and this
> >> IPsec-processed packet is also larger than the >> Link MTU. The
> >> ingr
can understand the rationale for the
> > LMAP extension. However, I would like to see a bit more
> > description of the whole system. How do I send path probes
> > to elicit these responses? Can I use ICMP ECHO inside the
> > tunnel, or do we
Paul Wouters wrote:
>> Christian Hopps wrote: >> The ingress node
>> encrypts this packet and adds the IPsec >> encapsulation, and this
>> IPsec-processed packet is also larger than the >> Link MTU. The
>> ingress node fragments this IPsec-processed packet and >> sends all
>>
On Tue, 1 Aug 2023, Daniel Migault wrote:
[The quoting got mangled in Daniel's message]
If an incoming Encrypted packet is larger than the Link MTU
How can than be? You mean you received an ESP or ESPinUDP that after
decrypting was too large for the
link you need to send the decrypted packe
On Wed, 2 Aug 2023, Michael Richardson wrote:
Christian Hopps wrote:
>> The ingress node encrypts this packet and adds the IPsec
>> encapsulation, and this IPsec-processed packet is also larger than the
>> Link MTU. The ingress node fragments this IPsec-processed packet and
>> sends
Christian Hopps wrote:
>> The ingress node encrypts this packet and adds the IPsec
>> encapsulation, and this IPsec-processed packet is also larger than the
>> Link MTU. The ingress node fragments this IPsec-processed packet and
>> sends all the fragments to the egress node.
In some cases, “IPsec encapsulated TTP” is
used, and I think it also means TLP.
Regards & Thanks!
Wei Pan (潘伟)
From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Daniel
Migault
Sent: Wednesday, August 2, 2023 12:56 AM
To: Ben Schwartz
Cc: Harold Liu ;
ipsec@ietf.org
Subject: Re
Psec [mailto:ipsec-boun...@ietf.org] On Behalf Of Daniel Migault
Sent: Wednesday, August 2, 2023 12:56 AM
To: Ben Schwartz
Cc: Harold Liu ; ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben,
Just trying to position our understanding of the position between the ICMP
From: Daniel Migault
Sent: Monday, July 31, 2023 12:10 PM
To: Ben Schwartz
Cc: Harold Liu ;
ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben, Please see my comments. On Mon, Jul 31, 2023 at
Paul Wouters wrote:
> On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>>
>> Hi Ben, Just trying to position our understanding of the position
>> between the ICMP PTB and the IKE PTB. If an incoming Encrypted packet
>> is larger than the Link MTU
> How can than be? You
Hi Paul,
Please see my response in line.
Yours,
Daniel
On Tue, Aug 1, 2023 at 2:15 PM Paul Wouters wrote:
> On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>
>
>
>
> Hi Ben,
>
> Just trying to position our understanding of the position between the ICMP
> PTB and the IKE PTB.
>
> If an inc
On Aug 1, 2023, at 12:56, Daniel Migault wrote:
>
>
> Hi Ben,
> Just trying to position our understanding of the position between the ICMP
> PTB and the IKE PTB.
> If an incoming Encrypted packet is larger than the Link MTU
How can than be? You mean you received an ESP or ESPinUDP that aft
the tunnel, or do we
>> need draft-colitti-ipsecme-esp-ping? If we have path probes, why not just
>> set DF=1 on the outer header for PMTUD?
>>
>> --Ben Schwartz
>> --
>> *From:* Daniel Migault
>> *Sent:* Monday, July 31, 2023 12:
gateway.
> PLMTUD I-D.spiriyath-ipsecme-dynamic-ipsec-pmtu for ESP is another path,
> but it would take a lot of effort.
>
> Yours,
> Daniel
>
>
> --Ben SchwartzI-D.spiriyath-ipsecme-dynamic-ipsec-pmtu
> --
> *From:* Harold Liu
> *Sent:* Sunday,
Schwartz
Cc: Harold Liu ; ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Hi Ben, Please see my comments. On Mon, Jul 31, 2023 at 10: 47 AM Ben Schwartz
wrote: Hi Harold, It sounds like you're describing a
different problem. Daniel mentioned a concern about
Daniel
> --Ben SchwartzI-D.spiriyath-ipsecme-dynamic-ipsec-pmtu
> --
> *From:* Harold Liu
> *Sent:* Sunday, July 30, 2023 9:28 PM
> *To:* Ben Schwartz ; Daniel Migault
> *Cc:* ipsec@ietf.org
> *Subject:* RE: [IPsec] -ikev2-mtu-dect: IKEv2 PTB No
th using ordinary IP fragmentation and PMTUD.
--Ben Schwartz
From: Harold Liu
Sent: Sunday, July 30, 2023 9:28 PM
To: Ben Schwartz ; Daniel Migault
Cc: ipsec@ietf.org
Subject: RE: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
Ben, thanks for your comment. Yes at the
error responses.
Brs
From: IPsec On Behalf Of Ben Schwartz
Sent: Saturday, July 29, 2023 8:01 AM
To: Daniel Migault
Cc: ipsec@ietf.org
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
+mailing list (oops)
I think I understand the difficulty here. In IPv6, a "maximum reasse
8, 2023 10:47 AM
To: Ben Schwartz
Subject: Re: [IPsec] -ikev2-mtu-dect: IKEv2 PTB Notification
I see the next link as being the network behind the egress security gateway in
which case the paquet would be the clear text packet. In that case maybe we
could expect a ICMP PTB being sent to the s
In yesterday's presentation of the -ikev2-mtu-dect draft, I was asked why
do we have such a notification instead of using a standard ICMP PTB message
encapsulated in ESP.
I believe the confusion comes from me saying that the PTB message is
sent AFTER the packet has been decrypted. This is not the
33 matches
Mail list logo