[strongSwan] Question about IKE frag
Emeric POUPON
emeric.poupon at stormshield.eu
Fri Apr 28 18:00:15 CEST 2017
Hello,
>>
>> Then if A really wants to fragment its output messages, there is no option to
>> force it?
>
> No, doing so without negotiating it isn't legal (only for IKEv1 when the
> first message is already fragmented, which is the main reason fragmented
> messages are always defragmented). But the option is enabled by default
> since 5.5.1 anyway.
As far as I understand https://tools.ietf.org/html/rfc7383#page-5, the IKEV2_FRAGMENTATION_SUPPORTED notification payload is used to announce the fragmentation support.
The questionable thing is that it seems to be used for both support and willingness to use it.
B could always announce it supports fragmentation without actually fragment itself?
The documentation seems to indicate that we actually process IKE fragmented packets even if we set the option to "no"
That would be something like that:
- no -> announce support (but do not fragment output packets)
- yes -> announce support and use it to fragment output packets
What do you think?
Regards,
More information about the Users
mailing list