[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...



On Wed, 25 Apr 2001 16:28:16 EDT you wrote
> Dan Harkins wrote:
> >   Isn't fragmentation done after IPsec processing? In that case #1 (for
> > outbound) would never happen. If the other side is an endhost it wouldn't
> > fragment a packet and then apply IPsec to the fragments. If it's a router
> > then it'd have to reconstruct the whole packet prior to IPsec processing
> > anyway, right? If the selector did not specify port and/or protocol
> > information and the router received a fragment it would just process it
> > like it was a normal IP datagram and you'd receive a bunch of
> > IPsec-protected
> > fragments.
> 
> As I wrote above, fragmentation theoretically can be done before encryption.
> I said theoretically because I don't know who is actually doing it.
> Maybe nobody has thought about it? Why do you say it's impossible to
> fragment before encryption? If we define the rule "fragment only after
> encryption", I agree case 1 would never happen. I just don't see
> why technically case 1 is impossible even considering all RFC and
> drafts we have now. Or maybe I missed something?

Section 3.3.4 of RFC2402 and section 3.3.5 of RFC2406 both say that
fragmentation is performed _after_ outbound IPsec processing.

  Dan.



References: