[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Moving PIC forwards
> In conclusion, it seems that TCP PIC isn't useful
> until IKE runs over TCP too. In the mean time
> we have to ensure our routers and firewalls
> do the right thing. TCP PIC doesn't help. But,
> Bernard, is the problem the same in PIC as it is
> in IKE cert payloads, or is it bigger? If we rarely
> hit the problem in IKE but would hit it all the time
> in PIC, then it might make sense think more about it.
It depends on how big the cert payloads are. The particular circumstances
I've seen occur with certificate chains. You are correct that IKE will
also fragment -- but often the IKE negotiation will occur on a specialized
VPN box that can can include the right fragment filtering functionality,
whereas the PIC node seems more likely to be a host that will need a
filtering router in front of it.