Re: Moving PIC forwards

[Markus Stenberg <mstenber@xxxxxxx>]

paul.hoffman@xxxxxxxx (Paul Hoffman / VPNC) writes:
> (b) add DOS protection as Hugo described

My vote goes for [b].

And then, to continue discussion..
,----
| I'd like the protocol to run over TCP, so that we can handle large
| certificate payloads without fragmentation. In practice, fragmentation of
| IKE cert payloads has turned out to be a headache, because many
| existing router code loads cannot handle fragment filtering very well. 
| 
| It would be much easier if PIC could just be installed in a network
| without having to upgrade the routers. 
`----

Considering world seems to be full of routers with broken PMTU / filtered
icmp-unreachable functionality, we're bound see lots of fragmented IPsec
packets in any case. Can we therefore assume that those are gone, too?

I'm not too happy with the conclusion..

(But still, I think that the TCP _would_ be worth it but not this close to
 actually deploying PIC; maybe in son-of-PIC :>)

Now, son-of-IKE's another matter; I think TCP'd make some things _much_
easier (considering in _all_ interops I've been to, I've ran at
implementations with such basic features as proper packet resends broken).

-Markus

--
Markus Stenberg <stenberg@xxxxxxx> of SSH Communications Security (www.ssh.com)