[Top] [All Lists]

Re: IPsec and Path MTU

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: IPsec and Path MTU
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Jun 2004 10:43:19 -0400
Cc: kuznet@xxxxxxxxxxxxx, davem@xxxxxxxxxx, jmorris@xxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: Message from Herbert Xu <> of "Wed, 16 Jun 2004 21:43:45 +1000." <>
References: <> <> <>
Sender: netdev-bounce@xxxxxxxxxxx

>>>>> "Herbert" == Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> writes:
    >> The pmtu WG is considering changing how PMTU is done. You may
    >> want to look at draft-richardson-ipsec-fragment-XX.txt. This has
    >> not yet been adopted as a WG draft, because nobody is sure which
    >> WG should adopt it:-)

    Herbert> I'd say that we should get the stack to work with the hosts
    Herbert> that do send ICMP replies first, and then worry about those
    Herbert> that don't :) 

  The proposal there is a compromise between what RFC1191 says, and what
people in the field (and most IPsec implementations, because we get
blamed) have done - it continues to send ICMP replies at all times that
the old logic would usefully do, while not causing huge headaches that
having ICMPs disappear causes. 

  My opinion is that any solution which does not address the problem of
ICMP blackholes is actually a step back because it causes things to
intermittently fail. Right now, things just fail for big packets,
period. That provides much large clue that there is a problem, which can
be worked around. 

  So, I'm agreeing with your :) -- we can tune the algorithm later, but
let's make sure that we do it ASAP.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxx |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


<Prev in Thread] Current Thread [Next in Thread>