[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving PIC forwards

To: Jari Arkko <Jari.Arkko@xxxxxxxxxxxxxxx>
Subject: Re: Moving PIC forwards
From: Bernard Aboba <aboba@xxxxxxxxxxxxx>
Date: Wed, 31 Oct 2001 06:33:01 -0800 (PST)
Cc: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>, ietf-ipsra@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

> Besides, for the problem to occur you must have
> a firewalling router between the businessman's
> PC and the corporate PIC node /VPN gateway. How
> likely is that? 

If the PIC node is not deployed on a router, then from what I've seen,
this is the default configuration. 

> If they can't handle fragmented
> UDP packets, the network manager can upgrade the
> routers at the same time he installs PIC. Or?

In the customer base I've talked to there are no immediate plans for such
upgrades -- since that would require more memory and ROM in the affected
routers, and that's not in the budget. In general, they don't like
operating with very different code loads in different sections of the
network, so this is more likely to be seen as part of a wider
upgrade. Even in those cases where the upgrade is feasible, customers
often don't want to do it because they are afraid of side effects
such as enabling fragment attacks.

References:
- Re: Moving PIC forwards
  - From: Jari Arkko

Prev by Date: Re: Moving PIC forwards
Next by Date: Re: Moving PIC forwards
Previous by thread: Re: Moving PIC forwards
Next by thread: Re: Moving PIC forwards
Index(es):
- Date
- Thread