Re: CERT_REQ_PAYLOAD usage

[Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx>]

 In your previous mail you wrote:

   In almost all IKE implementations there is no path MTU discovery, and no
   way to reduce the size of the UDP payload because you can't
   interoperable send payloads in different exchanges.

=> with IPv6 IKE *should* use the IPV6_USE_MIN_MTU socket option
(IPv6 is a bit different:
 - there is no "en route" fragmentation, ie. fragmentation is end-to-end
 - path MTU discovery is mandatory (but doesn't work well with IKE)
 - there is some user control on path MTU (including this socket option)
 - minimal MTU is 1280 bytes (ie. far more than IPv4 68 bytes))

Regards

Francis.Dupont@enst-bretagne.fr

PS: I've sent this message in order to have this point in the archives.
PPS: from draft-ietf-ipngwg-rfc2292bis-01.txt:

11.1.  Sending with the Minimum MTU

   Some applications might not want to incur the overhead of path MTU
   discovery, especially if the applications only send a single datagram
   to a destination.  A potential example is a DNS server.

   This specification defines a mechanism to avoid fragmentation by
   sending at the minimum IPv6 MTU (1280 bytes).  This can be enabled
   using the IPV6_USE_MIN_MTU socket option.

       int  on = 1;
       setsockopt(fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &on, sizeof(on));

   By default, this socket option is disabled.  Setting the value to 0
   also disables the option.  This option can also be sent as ancillary
   data.