[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fragmentation, Inbound processing
Section 4.1 of draft-ietf-ipsec-arch-sec-07.txt states:
[snip]
The requirement for any (transit traffic) SA involving a
security gateway to be a tunnel SA arises due to the need
to avoid potential problems with regard to fragmentation
and reassembly of IPsec packets, and in circumstances where
multiple paths (e.g., via different security gateways) exist
to the same destination behind the security gateways.
Could someone elaborate on what exactly are the "potential problems"
or point me to a document explaining them?
Section 4.4.2 of draft-ietf-ipsec-arch-sec-07.txt states:
[snip]
If the packet has been fragmented, then the port information
may not be available in the current fragment. If so, discard
the fragment. An ICMP PMTU should be sent for the first
fragment, which will have the port information. [MAY be
supported]
I am confused by the discard fragment action. If security gateways
can apply IPsec to an IP packet whose payload may be an IP fragment
then why would we discard the fragment?
Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states:
[snip]
NOTE: The correct "matching" policy will not necessarily
be the first inbound policy found.
The SPD is an ordered list of entries. If the correct matching
policy was not the first inbound policy found wouldn't that imply
that the SPD is not really ordered? Or, am I missing something?
thanks
--
David W. Faucher
Lucent Technologies - Bell Labs
dfaucher@lucent.com