On Thu, Mar 31, 2016 at 01:58:35PM +0200, [email protected] wrote: > To be honest, we had never assumed for IP fragmentation (on one request > and one response) to be a huge problem.
One request and response could still be a problem. If the client is not able to receive fragmented packets, it won't be able to initialize the NTS association. > If people see grave problems with it, we would welcome an elaboration as > to why this is. I'm not sure and I was hoping others would comment on that. It seems to me problems with IPv4 fragmentation are quite common due to firewalls dropping ICMP packets or IP fragments, and IPv6 doesn't seem to recommend sending packets larger than 1500. > To clarify: does the reason you suspect that splitting client_cook is more > difficult lie only in the stateless nature of the server and the fact that > client_cook is a request, sent from client to server? Yes, precisely. The client keeps the NTS state, so in the worst case the server could be authenticated in multiple steps, sending one certificate at a time. But splitting the client_cook message at the NTP or NTS layer would not be from the server point of view different from fragmenting a single packet at IP layer. -- Miroslav Lichvar _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
