Re: IPsec and Fragmentation

[Karen Heron <heron@us.ibm.com>]

> Yes, and what should then happen is SG1 should send back a "too big" to H1
> for the 1500 bit.
>
> In addition to "1280 bytes from me to SG1", perhaps H1 should also have a
> "1500 bytes from H1 to H2" which will have the initial IP do the right
> thing.
>
> Since H1 is the originator of both the INNER and the OUTER packet,
> fragmenting twice is perfectly within the rules, even for IPv6.

I agree, except I missed my opportunity to fragment the inner packet because
according to the architecture, I need to secure the packet first and then
fragment it.  By the time I've secure it, I "lose track" of the inner
header, so I just fragment it according to the outer header which is causing
my problem!  Any other suggestions to help me get out of my predicament?
I must be missing something obvious - I still think the only way to get
out of this is fragment first and then secure.


Karen Heron
Router Development
IBM, RTP, NC

---

Follow-Ups:

• Re: IPsec and Fragmentation
• From: Dan McDonald <danmcd@Eng.Sun.Com>

---

• Prev by Date: Re: IPsec and Fragmentation
• Next by Date: Re: IPsec and Fragmentation
• Prev by thread: Re: IPsec and Fragmentation
• Next by thread: Re: IPsec and Fragmentation
• Index(es):
  • Main
  • Thread