[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP packet fragmentation

To: Dan.McDonald@Eng.sun.com (Dan McDonald)
Subject: Re: IP packet fragmentation
From: Karl Fox <karl@Ascend.COM>
Date: Thu, 6 Mar 1997 16:13:30 -0800
Cc: rolaya@ire.com (Raul Olaya), ipsec@tis.com
In-Reply-To: <199703062319.PAA08906@kebe.eng.sun.com>
Organization: Ascend Communications
References: <c=US%a=_%p=IRE%l=WHO-970306230708Z-368@who.ire.com><199703062319.PAA08906@kebe.eng.sun.com>
Reply-To: Karl Fox <karl@Ascend.COM>
Sender: owner-ipsec@ex.tis.com

> > How are IP security transforms applied to fragmented packets (for
> > example a 2000 byte PING which is fragmented into a 1500 byte fragment
> > (header+data) and  548 byte fragment (header+data))?.  Is the packet
> > reassembled in the outbound direction and then the security transform
> > applied to the entire reassembled packet?
> 
> IPsec _must_ be done before fragmentation.  This is specified in RFC 1825,
> and why this is a good idea is documented in Bellovin's USENIX Security paper
> from last summer.

If you're running on a host, yes.  If you're running on an encrypting
gateway, you wrap each fragment in a tunnel mode packet.  Of course,
you might fragment the resulting encrypted datagram if it's too big.
-- 
Karl Fox, servant of God, employee of Ascend Communications
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221   +1 614 326 6841

Follow-Ups:

Re: IP packet fragmentation

From: Dan.McDonald@Eng.sun.com (Dan McDonald)

References:

IP packet fragmentation

From: Raul Olaya <rolaya@ire.com>

Re: IP packet fragmentation

From: Dan.McDonald@Eng.sun.com (Dan McDonald)

Prev by Date: Re: IP packet fragmentation
Next by Date: Re: IP packet fragmentation
Prev by thread: Re: IP packet fragmentation
Next by thread: Re: IP packet fragmentation
Index(es):
- Main
- Thread