[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Meeting's minutes

To: Dan Harkins <dharkins@xxxxxxxxxx>
Subject: Re: Meeting's minutes
From: Bernard Aboba <aboba@xxxxxxxxxxxxx>
Date: Tue, 14 Aug 2001 12:32:42 -0700 (PDT)
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: <200108141903.f7EJ31Z00890@dharkins@lounge.orgatty.lounge.org>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

>   If a stack can't handle fragmentation and reassembly then it is broken. 
> I don't think protocols should be constrained because someone's stack
> is broken. 

The problem isn't the host stack. The problem is typically with routers in
front of the VPN server. As an example, if you set an access list to allow
UDP Port 500, allow IPsec ESP/AH, then Deny ALL ou will typically not see
*any* IPsec traffic get through if the certificate payload is large
enough. 

Why? Because IKE will fragment, and the access list, while allowing the
first fragment through, will drop all succeeding fragments, since they
don't match any of the permit statements in the access list.

References:
- Re: Meeting's minutes
  - From: Dan Harkins

Prev by Date: Re: Meeting's minutes
Next by Date: RE: Meeting's minutes
Previous by thread: Re: Meeting's minutes
Next by thread: Re: Meeting's minutes
Index(es):
- Date
- Thread