[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tunnle mode SAs...
>On Wed, 25 Apr 2001 16:28:16 EDT you wrote
>> Dan Harkins wrote:
>> > Isn't fragmentation done after IPsec processing? In that case #1 (for
>> > outbound) would never happen. If the other side is an endhost it wouldn't
>> > fragment a packet and then apply IPsec to the fragments. If it's a router
>> > then it'd have to reconstruct the whole packet prior to IPsec processing
>> > anyway, right? If the selector did not specify port and/or protocol
>> > information and the router received a fragment it would just process it
>> > like it was a normal IP datagram and you'd receive a bunch of
>> > IPsec-protected
>> > fragments.
>>
>> As I wrote above, fragmentation theoretically can be done before encryption.
>> I said theoretically because I don't know who is actually doing it.
>> Maybe nobody has thought about it? Why do you say it's impossible to
>> fragment before encryption? If we define the rule "fragment only after
>> encryption", I agree case 1 would never happen. I just don't see
>> why technically case 1 is impossible even considering all RFC and
>> drafts we have now. Or maybe I missed something?
>
>Section 3.3.4 of RFC2402 and section 3.3.5 of RFC2406 both say that
>fragmentation is performed _after_ outbound IPsec processing.
>
> Dan.
>
Yes. But does that mean that fragmentation before IPsec is not allowed. I didn't think so. I
understood that to say: if you IPsec a packet and it grows beyond the interface MTU, than fragment
it.
What stops a SG from receiving already fragmented packets from the host it is protecting? How
different is IPsec'ing those fragment from receiving a whole packet, fragmenting it within the SG
and then IPsec'ing it? Granted, there is a problem when protocol/ports are used as selectors, as
Dan already pointed out. But if they are not, then both options 1 and 2 are OK. My point is that I
do not understand the need to disallow fragmentation before IPsec for every situation. In fact,
fragmenting to a IPsec-overhead-discounted MTU before IPsec'ing has the advantage of removing the
burden of reassembly on the remote SG.
Claudio.
Follow-Ups: