Re: IPsec and Fragmentation

[Karen Heron <heron@us.ibm.com>]

> Dan and Karen,
>
> Section 3.2.5 of the architecture document states that transport mode is
> always applied to whole IP datagrams, but that tunnel mode may be applied
> to packet fragments.  This was motivated by the need to accommodate
> security gateways, and BITS, BITW implementations, but you can legitimately
> apply tunnel mode processing in this fashion in your host to make matching
> of MTU info to the headers easier.  The IPsec receiver at H2 does not know
> whether you have a BITS or BITW implementation vs. a native implementation,
> so it must be prepared to accept encapsulated fragments in tunnel mode.
>
> Steve

Thanks for the clarification. (However, I'm having trouble finding section
3.2.5 in my copy of the architecture doc (draft-ietf-ipsec-arch-sec-05)).  But
I believe that the statement in Appendix B, section B.2, "Fragmentation MUST
be done after outbound IPsec processing." is incorrect.  In fact, for a tunnel
mode SA on a host, fragmentation must be done before IPsec processing to make
PMTU discovery work, correct?


Karen Heron
Router Development
IBM, RTP, NC

---

Follow-Ups:

• Re: IPsec and Fragmentation
• From: Stephen Kent <kent@bbn.com>
• Re: IPsec and Fragmentation
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: isakmp sig payload encoding
• Next by Date: Re: Revised drafts -- Arch, AH, ESP
• Prev by thread: Re: IPsec and Fragmentation
• Next by thread: Re: IPsec and Fragmentation
• Index(es):
  • Main
  • Thread