[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...



On Wed, 25 Apr 2001 21:57:44 EDT you wrote
> 
> >On Wed, 25 Apr 2001 16:28:16 EDT you wrote
> >
> >Section 3.3.4 of RFC2402 and section 3.3.5 of RFC2406 both say that
> >fragmentation is performed _after_ outbound IPsec processing.
> >
> >  Dan.
> >
> 
> Yes. But does that mean that fragmentation before IPsec is not allowed. I did
>n't think so. I
> understood that to say: if you IPsec a packet and it grows beyond the interfa
>ce MTU, than fragment
> it.
>
> What stops a SG from receiving already fragmented packets from the host it is
> protecting? How
> different is IPsec'ing those fragment from receiving a whole packet, fragment
>ing it within the SG
> and then IPsec'ing it? Granted, there is a problem when protocol/ports are us
>ed as selectors, as
> Dan already pointed out. But if they are not, then both options 1 and 2 are O
>K. My point is that I
> do not understand the need to disallow fragmentation before IPsec for every s
>ituation. In fact,
> fragmenting to a IPsec-overhead-discounted MTU before IPsec'ing has the advan
>tage of removing the
> burden of reassembly on the remote SG.
> 
> Claudio.

A security gateway receiving an already fragmented packet is different
from a security gateway receiving a non-fragmented packet, fragmenting
it and then applying IPsec to each fragment. The rules for the former
are very well stated and not being debated.

Since I don't believe compliant devices are supposed to do the latter
then I don't believe a security gateway will ever receive encrypted 
fragments that it has to independently IPsec process and then combine to 
reconstruct a packet which is forwarded on to the ultimate destination.
That was case #2 from Yuri's post. 

If the selector had port and/or protocol information the gateway would
not be receiving IPsec-protected fragments of the original packet, it
would be receiving fragments of the IPsec protected original packet.
If the selector did not have port and/or protocol information the
gateway would just process the fragments as normal IP packets and no
reassembly on either end would be necessary.

  Dan.



Follow-Ups: References: