[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving PIC forwards

To: Jari Arkko <Jari.Arkko@xxxxxxxxxxxxxxx>
Subject: Re: Moving PIC forwards
From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxxx>
Date: Wed, 31 Oct 2001 08:45:39 -0500
Cc: Bernard Aboba <aboba@xxxxxxxxxxxxx>, Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>, ietf-ipsra@xxxxxxxx
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

In message <3BDFCDFB.F6C7FBE1@xxxxxxxxxxxxxxx>, Jari Arkko writes:
>

>Besides, for the problem to occur you must have
>a firewalling router between the businessman's
>PC and the corporate PIC node /VPN gateway. How
>likely is that? Network operators hopefully shouldn't
>be filtering your traffic, so that leaves the
>corporate network border routers possibly in front
>of the PIC/VPN nodes. If they can't handle fragmented
>UDP packets, the network manager can upgrade the
>routers at the same time he installs PIC. Or?
>

One cause of the fragmentation problem is PPPoE.  You may not like 
PPPoE (I certainly don't), but there's a lot of it out there on DSL 
lines.

None of which, of course, says that we need to break our protocol to 
deal with it.  But v6 doesn't even have router-based fragmentation, so 
we may want to plan ahead.  Do we want to go as far as to recommend 
intentional fragmentation at some rational threshhold?

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

Follow-Ups:
- Re: Moving PIC forwards
  - From: Bernard Aboba
- Re: Moving PIC forwards
  - From: Jari Arkko

Prev by Date: Re: Moving PIC forwards
Next by Date: Re: Moving PIC forwards
Previous by thread: Last Call: PIC, A Pre-IKE Credential Provisioning Protocol to Proposed Standard
Next by thread: Re: Moving PIC forwards
Index(es):
- Date
- Thread