[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving PIC forwards

To: "Bernard Aboba" <aboba@xxxxxxxxxxxxx>, "Markus Stenberg" <mstenber@xxxxxxx>
Subject: Re: Moving PIC forwards
From: "Scott Fanning" <sfanning@xxxxxxxxx>
Date: Wed, 31 Oct 2001 13:04:05 -0800
Cc: <ietf-ipsra@xxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Just another data point. I have seen some fragmentation issues even with
large (4k) key sizes. I agree that this is a real issue.

Scott
----- Original Message -----
From: "Bernard Aboba" <aboba@xxxxxxxxxxxxx>
To: "Markus Stenberg" <mstenber@xxxxxxx>
Cc: <ietf-ipsra@xxxxxxxx>
Sent: Wednesday, October 31, 2001 10:18 AM
Subject: Re: Moving PIC forwards


>
> > (Secondary alternative, own PMTU-detection scheme by trial-and-error, I
> >  won't even go to.. nor user configuration :P)
>
> Going to minimum MTU all the time is not a good strategy, I'd agree. Not
> sure that PMTU discovery would be so bad though -- could be made fairly
> simple. For example, set the DF bit, and if fragmentation is encountered
> move down in large increments. In any of these cases, you'd need the
> "continuation" capability, though.
>
> > Is the problem _really_ out there? I personally haven't encountered it
> > much, but my cert chains have been mostly on short side.
>
> The problem is very common among organizations that have deployed
> LDAP-based directories.
>
> IT organizations often have sophisticated directory structures, and the
> chain of trust is reflective of their organizational hierarchy. So the
> Swedish branch office would be under Europe, which is part of Products
> Group, which is within the Automotive Division, and this results in a long
> cert chain.
>
> >  - If it's matter of product, we should just embrace some form of 'IPsec
> >  compatible' term to differentiate between broken and working firewalls.
>
> Not easy to do when *most* existing routers do not support fragment
> filtering very well. Remember, fragments don't necessary have a
> header/port present, so you have keep state in order to handle this
> correctly.
>
> > and others (like us, it seems) are mostly concerned in getting SOMETHING
> > working by kludging around existing crap out there.
>
> Yup. Have been working on IPsec since 1996 now, and am still struggling to
> get a wide spread cert-based deployment going. At this point, believe it
> or not, the IKE fragmentation issue is probably a bigger headache than
> getting the PKI infrastructure up, and even deploying smartcards and
> directories.
>

References:
- Re: Moving PIC forwards
  - From: Bernard Aboba

Prev by Date: Re: Moving PIC forwards
Next by Date: RE: Moving PIC forwards
Previous by thread: Re: Moving PIC forwards
Next by thread: RE: Moving PIC forwards
Index(es):
- Date
- Thread