[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IP packet fragmentation
> > How are IP security transforms applied to fragmented packets (for
> > example a 2000 byte PING which is fragmented into a 1500 byte fragment
> > (header+data) and 548 byte fragment (header+data))?. Is the packet
> > reassembled in the outbound direction and then the security transform
> > applied to the entire reassembled packet?
>
> IPsec _must_ be done before fragmentation. This is specified in RFC 1825,
> and why this is a good idea is documented in Bellovin's USENIX Security paper
> from last summer.
If you're running on a host, yes. If you're running on an encrypting
gateway, you wrap each fragment in a tunnel mode packet. Of course,
you might fragment the resulting encrypted datagram if it's too big.
--
Karl Fox, servant of God, employee of Ascend Communications
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221 +1 614 326 6841
Follow-Ups:
References: