[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Reassembly and Fragmentation - detailed Question
Hi,
I would like to ask a question about reassembly and fragmentation.
Maybe I am based on wrong assumption so please correct me if necessary.
I am sorry that the email is long but I try to build some example with real
values.
A company with two remote site, build Intranet with two S.G implementing
IPSec.
These gateways are mounted at the edge of each site.
Site A ------ S.G A ----------- Internet --------- S.G B ----------
Site B
Now suppose, some host from Site A do "ping" with datagram size of 5000
bytes to some host in Site B.
As I understand, Host A, will fragment the packet into 3 packets of 1500 and
one packet of 500 bytes. ( Site A is Ethernet based ). 1500 + 1500 + 1500 +
500.
Suppose that the Tunnel between S.G A and S.G B is AH and ESP (nested
tunnel - bundle of SA ) in tunnel mode.
If I assume that the Tunneling add 50- 100 bytes to the IP datagram ( 3DES,
HMAC-MD5).
Question:
What actually will happen in S.G A :
1. Should the IP layer at S.G A reassembly al the 5000 bytes before it pass
it up to AH and ESP processing ?
2. If 1 is true, Now the AH and ESP add 50- 100 bytes. Now we got datagram
of ~5100 bytes.
3. If the Wan connection S.G A has MTU of 1000, should the IPSec fragment
the packet before it pass it to the IP or should the IP fragment the packet
?
( 6 fragment 1000 + 1000 + 1000 +1000 + 1000 + 100 ? )
4. Suppose that in the Internet the packets pass via some path with 512 MTU
, hence the 1000 bytes packets cut again to 512 and 488 bytes.
5. Finally the packets reach S.G B and it should pass after processing to
Host B.
Can someone explain if the process that I describes is correct ?
What happens at S.G B?
Thanks in advance.
Nir
Follow-Ups: