[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC standardization status

To: "Patel, Baiju V" <baiju.v.patel@intel.com>
Subject: RE: IPSEC standardization status
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 May 1998 18:54:05 -0400
Cc: "'Theodore Y. Ts'o'" <tytso@MIT.EDU>, ipsec@tis.com
In-Reply-To: <3D33CF40366DD111AC4100A0C96B22AC015D53AE@FMSMSX34>
Sender: owner-ipsec@ex.tis.com

Baiju,

>The IPSEC architecture document says
>
>B.2 Fragmentation   Fragmentation MUST be done after outbound IPsec
>processing.
>   Reassembly MUST be done before inbound IPsec processing.
>
>When I read it (and there is a table and text that elaborates it), even for
>IPSEC tunnel mode, all the fragmentation must be done after IPSEC processing
>(i.e., the packet being tunneled cannot be fragmented).
>
>However, earlier mail from Steve Kent (attached here) states that it
>must be done for transport mode and for tunnel mode (his reason
>for recommending tunnel-only mode)it is not an issue.

Section 3.3.5 in the ESP document, and 3.3.4 in AH clearly state that
tunnel mode is applied to IP packets, the payload of which may be a
fragment.  I think this provides a clearer response to your question, vs.
the details of Appendix B of the Arch Doc (which is meant to be read as an
adjunct to these other documents).

Steve

Prev by Date: RE: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, e tc.]
Next by Date: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
Prev by thread: RESPONDER_LIFETIME message format query
Next by thread: [Theodore Y. Ts'o: Re: forward progress on IPSec AH]
Index(es):
- Main
- Thread