[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH in IPv6
"Naganand Doraswamy" at Nov 19, 96 10:21:37 am
X-Mailer: ELM [version 2.4 PL21]
Content-Type: text
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk
> In case of IPv6, if the packet were to fragemented on the end host, do we
> calculate AH before fragmentation or after fragmentation? RFC says that AH
> is calculated before fragmentation on the sending side and after reassembly
> on the receiving side. I guess it is possible to calculate AH after
> fragmentation as the packets are not fragmented by the intermediate routers
> in case of IPv6 and wanted to clarify which is the right thing to do.
Stick with the spec! Authentication before fragmentation is CLEARLY the
right thing to do. All sorts of trickinesses happen if you authenticate
fragments. Think about fragment size if you don't know the SA before
fragmenting. If I have the SA a priori, I might as well do it. If I don't
have an SA, I shouldn't fragment because I don't know what algorithm key
management (or algorithm discovery for you in-line keying folks) will
negotiate. I can't determine the fragment size in that case because I don't
necessarily know the size of the AH.
> Am I correct in saying that AH is calculated before fragmentation on sending
> side and after reassembly on the receiving side even in IPv6?
Absolutely correct!
--
Daniel L. McDonald | Mail: danmcd@eng.sun.com Phone: (415) 786-6815 +
Software Engineer | *** My opinions aren't necessarily Sun's opinions! *** |
SunSoft Internet | "rising falling at force ten |
Engineering| we twist the world and ride the wind" - Rush +
References:
- AH in IPv6
- From: Naganand Doraswamy <naganand@ftp.com>