[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Reassembly and Fragmentation - detailed Question

To: Nir Selickter <nir_selickter@atrica.com>, IPSEC <ipsec@lists.tislabs.com>
Subject: RE: Reassembly and Fragmentation - detailed Question
From: Claudio Lordello <claudio.lordello@innovation.siemens.ca>
Date: Wed, 29 Mar 2000 16:59:55 -0500
Sender: owner-ipsec@lists.tislabs.com


Some answers below.

Claudio Lordello.

>  
> A company with two remote site, build Intranet with two S.G implementing
> IPSec.
> 
> These gateways are mounted at the edge of each site.
> 
> Site A  ------  S.G A   ----------- Internet --------- S.G B
----------Site B
> 
> Now suppose, some host from Site A do "ping" with datagram size of 5000
> bytes to some host in Site B.
> 
> As I understand, Host A, will fragment the packet into 3 packets of 1500
and
> one packet of 500 bytes. ( Site A is Ethernet based ). 1500 + 1500 + 1500
+
> 500.
> 
> Suppose that the Tunnel between S.G A and S.G B is AH and ESP (nested
> tunnel - bundle of SA ) in tunnel mode.
> 
> If I assume that the  Tunneling add 50- 100 bytes to the IP datagram (
3DES,
> HMAC-MD5).
> 
> Question:
> 
> What actually will happen in S.G A :
> 
> 1. Should the IP layer at S.G A reassembly al the 5000 bytes before it
pass
> it up to AH and ESP processing ?


Typically this does not happen. Re-assembly is a task performed by the
endpoint and not the router.


> 2. If 1 is true, Now the AH and ESP add 50- 100 bytes. Now we got datagram
> of ~5100 bytes.
> 3. If the Wan connection S.G A has MTU of 1000, should the IPSec fragment
> the packet before it pass it to the IP or should the IP fragment the
packet?
> ( 6 fragment 1000 + 1000 + 1000 +1000 + 1000 + 100 ? )


One approach is that when IPSec is attached to an IP interface it should
present to the IP Interface a MTU "discounted" of the IPSec overhead. In
your case, the IPSec stack would make the IP interface "think" that the MTU
is 900 (assuming a maximum overhead of 100). Therefore, IP would then
fragment the pieces BEFORE AH and ESP encapsulation. The packets presented
for IPSec processing would then be: [900 + 600 + 900 + 600 + 900 + 600 +
500]. IPSec now processes those packets and assuming a fixed overhead of 100
the fragments now look like: [1000 + 700 + 1000 + 700 + 1000 + 700 + 600]


> 4. Suppose that in the Internet the packets pass via some path with 512
MTU
> , hence the 1000 bytes packets cut again to 512 and 488 bytes.


There are some options regarding this. The one we use and I assume it is a
popular one is to set the DF bit in all IPSec encapsulated packets and do
path MTU discovery. This way if such encapsulated packet does find such 512
MTU router on its path the packet would be discarded but an ICMP message
would be returned to SG A. SG A would now use the ICMP message info to
reduce the IP interface's MTU to 412. Now on, no further packets would be
discarded. Have a look at Path MTU discovery stuff.


> 5. Finally the packets reach S.G B and it should pass after processing to
> Host B.
> 
> Can someone explain if the process that I describes is correct ?
> What happens at S.G B?
> 
> Thanks in advance.
> 
> Nir

Claudio Lordello.

Prev by Date: Re: Reassembly and Fragmentation - detailed Question
Next by Date: RE: Heartbeats draft (fwd)
Prev by thread: Re: Reassembly and Fragmentation - detailed Question
Next by thread: my presentation on heartbeats
Index(es):
- Main
- Thread