[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and Fragmentation

To: heron@us.ibm.com (Karen Heron)
Subject: Re: IPsec and Fragmentation
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Mon, 6 Jul 1998 08:59:16 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <5040300017909679000002L092*@MHS> from "Karen Heron" at Jul 6, 98 09:56:05 am
Sender: owner-ipsec@ex.tis.com

> I have the following setup:
> 
>            +--------------------------------------------------------+
>    H1---|----MTU=2000-----RTR------MTU=1280------|------SG1-----MTU=1500-----H2
>            +--------------------------------------------------------+
>                 SA, tunnel mode
> 
> 
> H1, H2 - hosts
> RTR - intermediate router in the secure tunnel
> SG1 - security gateway
> 
> What I've tried to show is a tunnel mode SA between H1 and SG1 that will
> secure packets from H1 to H2.  The MTU in the tunnel will be 1280.  Here's
> what I see happening:

Wait.  Let's look at this from the network-only perspective first.  Since the
tunnel is between H1 and SG1, then I have reachability from H1 to SG1.  How
would your implementation on H1 normally handle such MTU discovery?  Is there
an entry of some kind on H1 that says "1280 bytes from me to SG1"?

> 1.  H1 sends 1800 bytes to H2.  It is secured (it has an outer header) and
> sent into the tunnel.

So far so good.

> 2.  A packet too big is sent back from RTR with an MTU of 1280.

Okay, after this, you'd BETTER have an entry on H1 that says "1280 bytes from
me to SG1".

> 3.  H1 sends 1800 bytes to H2.  It is secured and has an outer header from H1
> to SG1.  It is fragmented and sent into the tunnel.

So 1800 + ESP will get split.  Cool.  BTW, if you were using TCP, your TCP
should know to send smaller fragments.  Just a point.  UDP can't do this,
neither can ICMP (e.g. ping).

> 4.  SG1 receives the fragments and reassembles.

Okay.

> 5.  SG1 de-capsulates the packet and attempts to forward to H2.

Over an ethernet of 1500.

> 6.  This fails since the packet is 1800 bytes and the MTU on the output net 
> for SG1 is 1500 bytes.

Yes, and what should then happen is SG1 should send back a "too big" to H1
for the 1500 bit.

In addition to "1280 bytes from me to SG1", perhaps H1 should also have a
"1500 bytes from H1 to H2" which will have the initial IP do the right
thing.

Since H1 is the originator of both the INNER and the OUTER packet,
fragmenting twice is perfectly within the rules, even for IPv6.

> Have I implemented something incorrectly?

Which part?  Judging from your .signature, I'd guess you're concerned about
SG1 or the RTR.  I'd just make sure that your SG1 issues a "packet too big"
for destination H2 back to H1.  It is up to (IMHO) H1 to do the right thing
with that.

> It appears that I am following the architecture for H1 (i.e., securing and
> then fragmenting), but I don't see how I can get these large packets to H2
> unless I fragment and then secure in H1.  Any help would be appreciated.

A lot will depend on how H1 and SG1 implements things.  Like I said, H1
should be able to deal with ICMP too big messages for both the outer-packet
path, and the inner-packet path, because it is the originator of both.
Likewise, SG1 should know the difference between a too big sent on behalf of
the outer packet vs. one sent on behalf of the inner packet.  Solving this is
not painless.

Dan

References:

IPsec and Fragmentation

From: Karen Heron <heron@us.ibm.com>

Prev by Date: Re: IPsec and Fragmentation
Next by Date: Re: IPsec and Fragmentation
Prev by thread: IPsec and Fragmentation
Next by thread: Re: IPsec and Fragmentation
Index(es):
- Main
- Thread