[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and Fragmentation
> Yes, and what should then happen is SG1 should send back a "too big" to H1
> for the 1500 bit.
>
> In addition to "1280 bytes from me to SG1", perhaps H1 should also have a
> "1500 bytes from H1 to H2" which will have the initial IP do the right
> thing.
>
> Since H1 is the originator of both the INNER and the OUTER packet,
> fragmenting twice is perfectly within the rules, even for IPv6.
I agree, except I missed my opportunity to fragment the inner packet because
according to the architecture, I need to secure the packet first and then
fragment it. By the time I've secure it, I "lose track" of the inner
header, so I just fragment it according to the outer header which is causing
my problem! Any other suggestions to help me get out of my predicament?
I must be missing something obvious - I still think the only way to get
out of this is fragment first and then secure.
Karen Heron
Router Development
IBM, RTP, NC
Follow-Ups: