Re: IPsec and Fragmentation

[Dan McDonald <danmcd@Eng.Sun.Com>]

> I agree, except I missed my opportunity to fragment the inner packet
> because according to the architecture, I need to secure the packet first
> and then fragment it.

And that should be your first course of action.  It shouldn't be the
subsequent course of action.

> By the time I've secure it, I "lose track" of the inner header, so I just
> fragment it according to the outer header which is causing my problem!

Is that true?  Like I said, H1

> Any other suggestions to help me get out of my predicament?  I must be
> missing something obvious - I still think the only way to get out of this
> is fragment first and then secure.

After receiving appropriate ICMP too big information, I guess you should
"fragment before you secure".  From the inner packet's point of view
(i.e. the inner packet sees a network, and nothing about tunnels), it's just
a node somewhere out on the network saying that the packet is too big.

That sort of "fragmenting before you secure" is not so much a "violation" of
the architecture document.  That phrase is in there to prevent doing
additional stuff beyond normal IP processing.  (Steve, I do have this right,
don't I?)

It's just normal IP processing.  Keeping the inner and outer packets as
distinct IP entities helps keep a lot of this easier to manage.

Dan

---

Follow-Ups:

• Re: IPsec and Fragmentation
• From: Stephen Kent <kent@bbn.com>

References:

• Re: IPsec and Fragmentation
• From: Karen Heron <heron@us.ibm.com>

---

• Prev by Date: Re: IPsec and Fragmentation
• Next by Date: Re: IPsec and Fragmentation
• Prev by thread: Re: IPsec and Fragmentation
• Next by thread: Re: IPsec and Fragmentation
• Index(es):
  • Main
  • Thread