Fragmentation, Inbound processing

["David W. Faucher" <dfaucher@lucent.com>]

Section 4.1 of draft-ietf-ipsec-arch-sec-07.txt states:

[snip]
	The requirement for any (transit traffic) SA involving a
	security gateway to be a tunnel SA arises due to the need 
	to avoid potential problems with regard to fragmentation 
	and reassembly of IPsec packets, and in circumstances where
	multiple paths (e.g., via different security gateways) exist
	to the same destination behind the security gateways.

Could someone elaborate on what exactly are the "potential problems" 
or point me to a document explaining them?  

Section 4.4.2 of draft-ietf-ipsec-arch-sec-07.txt states:

[snip]
	If the packet has been fragmented, then the port information 
	may not be available in the current fragment.  If so, discard
	the fragment.  An ICMP PMTU should be sent for the first 
	fragment, which will have the port information. [MAY be 
	supported]

I am confused by the discard fragment action. If security gateways 
can apply IPsec to an IP packet whose payload may be an IP fragment 
then why would we discard the fragment?

Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states:

[snip]
	NOTE: The correct "matching" policy will not necessarily
	be the first inbound policy found.

The SPD is an ordered list of entries. If the correct matching
policy was not the first inbound policy found wouldn't that imply 
that the SPD is not really ordered? Or, am I missing something?

thanks

-- 
David W. Faucher
Lucent Technologies - Bell Labs
dfaucher@lucent.com

---

• Prev by Date: IETF/IPsec meetings in Chicago
• Next by Date: Re: IETF/IPsec meetings in Chicago
• Prev by thread: Re: IETF/IPsec meetings in Chicago
• Next by thread: Call for Papers: USENIX Workshop on Intrusion Detection
• Index(es):
  • Main
  • Thread