Hi Lars, > Hi, > > On 2022-3-1, at 14:53, Valery Smyslov <s...@elvis.ru> wrote: > > > > I can add the following text at the end of Section 1 (as new paragraph): > > > > Note, that the IKE_INTERMEDIATE exchange is not intended for > > bulk transfer. This specification doesn't set a hard cap on > > the amount of data that can be safely transferred using this mechanism, > > as it depends on its application. But it is anticipated that in most cases > > the amount of data will be limited to tens of Kbytes (few hundred Kbytes > > in extreme cases). > > > > Is it OK? > > thanks, that looks very reasonable. > > (If you wanted to, you could point at RFC6928 as an illustration that the > IETF thought it OK for TCP to send up > to ~15K in the first flight. There were also measurements done at the time > that showed that at least some > CDNs used even larger initial flight sizes.)
Thanks for the pointer. I updated the text as follows: Note, that the IKE_INTERMEDIATE exchange is not intended for bulk transfer. This specification doesn't set a hard cap on the amount of data that can be safely transferred using this mechanism, as it depends on its application. But it is anticipated that in most cases the amount of data will be limited to tens of Kbytes (few hundred Kbytes in extreme cases), which is believed to cause no network problems (see [RFC6928] as an example of experiments with sending similar amounts of data in the first flight of TCP). See also Section 5 for the discussion of possible DoS attack vectors when amount of data sent in IKE_INTERMEDIATE is too large. I also mentioned a possible DoS attack vectors when amount of data is too large. Thank you, Valery. > Thanks, > Lars _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
