Re: Moving PIC forwards

[Bernard Aboba <aboba@xxxxxxxxxxxxx>]

> (Secondary alternative, own PMTU-detection scheme by trial-and-error, I
>  won't even go to.. nor user configuration :P)

Going to minimum MTU all the time is not a good strategy, I'd agree. Not
sure that PMTU discovery would be so bad though -- could be made fairly
simple. For example, set the DF bit, and if fragmentation is encountered
move down in large increments. In any of these cases, you'd need the
"continuation" capability, though.  

> Is the problem _really_ out there? I personally haven't encountered it
> much, but my cert chains have been mostly on short side.

The problem is very common among organizations that have deployed
LDAP-based directories. 

IT organizations often have sophisticated directory structures, and the
chain of trust is reflective of their organizational hierarchy. So the
Swedish branch office would be under Europe, which is part of Products
Group, which is within the Automotive Division, and this results in a long
cert chain. 

>  - If it's matter of product, we should just embrace some form of 'IPsec
>  compatible' term to differentiate between broken and working firewalls.

Not easy to do when *most* existing routers do not support fragment
filtering very well. Remember, fragments don't necessary have a
header/port present, so you have keep state in order to handle this
correctly. 

> and others (like us, it seems) are mostly concerned in getting SOMETHING
> working by kludging around existing crap out there.

Yup. Have been working on IPsec since 1996 now, and am still struggling to
get a wide spread cert-based deployment going. At this point, believe it
or not, the IKE fragmentation issue is probably a bigger headache than
getting the PKI infrastructure up, and even deploying smartcards and
directories.