[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP packet fragmentation

To: karl@Ascend.COM
Subject: Re: IP packet fragmentation
From: Dan.McDonald@Eng.sun.com (Dan McDonald)
Date: Thu, 6 Mar 1997 16:19:18 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <199703070013.QAA26923@gump.eng.ascend.com> from "Karl Fox" at Mar 6, 97 04:13:30 pm
Sender: owner-ipsec@ex.tis.com

> If you're running on a host, yes.  If you're running on an encrypting
> gateway, you wrap each fragment in a tunnel mode packet.

Good point, but those aren't YOUR fragments.  Before YOU fragment, you
encrypt.  And let's not forget IPv6, where you aren't supposed to have
intermediate fragmentation, but it _technically_ happens when you
encapsulate.  The same analogy applies to IPv4 datagrams with the "don't
fragment" bit set.  You don't fragment the packet to be forwarded, but if you
encapsulate in a tunnel, the tunnel source/dst addresses are of the tunnel
endpoints.  The end-to-end is tunnel-end to tunnel-end in this case.

> Of course, you might fragment the resulting encrypted datagram if it's too
> big.

See above.

Good call, Karl.

Dan

References:

Re: IP packet fragmentation

From: Karl Fox <karl@Ascend.COM>

Prev by Date: Re: IP packet fragmentation
Next by Date: Re: Grouping SAs (was Re: How many algorithms per SA/Transform?)
Prev by thread: Re: IP packet fragmentation
Next by thread: IPSec Interoperability
Index(es):
- Main
- Thread