[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and Fragmentation
> I agree, except I missed my opportunity to fragment the inner packet
> because according to the architecture, I need to secure the packet first
> and then fragment it.
And that should be your first course of action. It shouldn't be the
subsequent course of action.
> By the time I've secure it, I "lose track" of the inner header, so I just
> fragment it according to the outer header which is causing my problem!
Is that true? Like I said, H1
> Any other suggestions to help me get out of my predicament? I must be
> missing something obvious - I still think the only way to get out of this
> is fragment first and then secure.
After receiving appropriate ICMP too big information, I guess you should
"fragment before you secure". From the inner packet's point of view
(i.e. the inner packet sees a network, and nothing about tunnels), it's just
a node somewhere out on the network saying that the packet is too big.
That sort of "fragmenting before you secure" is not so much a "violation" of
the architecture document. That phrase is in there to prevent doing
additional stuff beyond normal IP processing. (Steve, I do have this right,
don't I?)
It's just normal IP processing. Keeping the inner and outer packets as
distinct IP entities helps keep a lot of this easier to manage.
Dan
Follow-Ups:
References: