[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and Fragmentation
> Dan and Karen,
>
> Section 3.2.5 of the architecture document states that transport mode is
> always applied to whole IP datagrams, but that tunnel mode may be applied
> to packet fragments. This was motivated by the need to accommodate
> security gateways, and BITS, BITW implementations, but you can legitimately
> apply tunnel mode processing in this fashion in your host to make matching
> of MTU info to the headers easier. The IPsec receiver at H2 does not know
> whether you have a BITS or BITW implementation vs. a native implementation,
> so it must be prepared to accept encapsulated fragments in tunnel mode.
>
> Steve
Thanks for the clarification. (However, I'm having trouble finding section
3.2.5 in my copy of the architecture doc (draft-ietf-ipsec-arch-sec-05)). But
I believe that the statement in Appendix B, section B.2, "Fragmentation MUST
be done after outbound IPsec processing." is incorrect. In fact, for a tunnel
mode SA on a host, fragmentation must be done before IPsec processing to make
PMTU discovery work, correct?
Karen Heron
Router Development
IBM, RTP, NC
Follow-Ups: