[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Why can't ?
Hi All,
With respect to the draft draft-ietf-ipsec-arch-sec-04.txt
Case 3. This case combines cases 1 and 2, adding end-to-end security
between the sending and receiving hosts. It imposes no new
requirements on the hosts or security gateways, other than a
requirement for a security gateway to be configurable to pass
IPsec traffic (including ISAKMP traffic) for hosts behind it.
=============================================================
| ===SG3*=========*SG5=== |
| | | | |
| |===SG4============ | |
--|-----------------|--- --|-------------------|--
| | Trusted N/W | | | | Trusted N/W | |
| H1 -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2 |
| Intranet) | | Intranet) |
------------------------ -------------------------
admin. boundary admin. boundary
Let us consider the following situation
* SG3, SG4 and SG5 are in between routers.
* SG1 and SG2 have AH/ESP tunnel.
* SG3 and SG5 have AH/ESP tunnel.
* Host H1 sends out the packet destined to H2.
* SG1 applies IPsec and the packet get fragmented.
* First fragment reaches SG5 and then to SG2, through SG4 with out any
IPsec applied since there is no security association between SG4 and SG5.
* The rest of the fragments go through the SG3
Since IPSEC does not process fragments, the fragments in the SG3-SG5 tunnel
get dropped. Of course, if the PMTU is proper and is above the threshold
for MTU, there will not be fragments. But, in the rare case where the PMTU
is lower than the threshold or the path changes in the middle of a
transmission, there could be fragments. Is this scenario feasible, in the
first place? We think it is possible. Will these fragments be discarded? Is
it essential for them to be discarded?
Bridging the gap between hardware and software
with best wishes
- K. SrinivasRao(email : srinu@trinc.com )