[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...

To: "Yuri Poeluev" <ypoeluev@certicom.com>, "Dan Harkins" <dharkins@cips.nokia.COM>
Subject: Re: tunnle mode SAs...
From: "Sami Vaarala" <sami.vaarala@netseal.com>
Date: Thu, 26 Apr 2001 09:54:35 +0300
Cc: <ipsec@lists.tislabs.com>
References: <11FF95E8F84A683385256A39007728B3.0077D10E85256A39@certicom.com> <3AE755C4.BC85B781@certicom.com>
Sender: owner-ipsec@lists.tislabs.com

Yuri and others,

> Dan Harkins wrote:
> >
[snip]
> >
> > Section 3.3.4 of RFC2402 and section 3.3.5 of RFC2406 both say that
> > fragmentation is performed _after_ outbound IPsec processing.
> >
> >   Dan.
>
> Thanks Dan. I agree that it makes sense to define one rule only for packet
> processing. And I thought such rule should be defined somewhere,
> but I didn't know where exactly. I was also considering a situation when a
> developer has difficulties of implementing IPSec above the level where
packet
> fragmentation is done, due to OS architecture. So, I guess he doesn't
> have a choice but to give up. That's why I included case 1 to give him
> a hope :-) And apparently there is no hope unless we want to break
> this rule. I guess there is a similar rule defining case 2 for inbound
> traffic as well.
>
> -Yuri

How is the following paragraph of RFC 2401 Appendix B to be understood?
As far as I understand, it is stating that encrypting fragments in tunnel
mode is acceptable?

What do you do with extremely large packets if you cannot fragment prior
to encryption?  Eg. you have a 65535 byte IP packet, and you want to ESP
tunnel it.  The processed packet is larger than maximum IPv4 packet size.
If you are allowed to fragment this datagram eg into two roughly 32k pieces
and tunnel them separately, there is no connectivity problem.

And as Yuri pointed out, this is no problem if your processing first
decrypts and reassembles, and then checks policy.

-----

B.2 Fragmentation

   If required, IP fragmentation occurs after IPsec processing within an
   IPsec implementation.  Thus, transport mode AH or ESP is applied only
   to whole IP datagrams (not to IP fragments).  An IP packet to which
   AH or ESP has been applied may itself be fragmented by routers en
   route, and such fragments MUST be reassembled prior to IPsec
   processing at a receiver.  In tunnel mode, AH or ESP is applied to an
   IP packet, the payload of which may be a fragmented IP packet.  For
   example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
   in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
   such fragments.  Note that BITS or BITW implementations are examples
   of where a host IPsec implementation might receive fragments to which
   tunnel mode is to be applied.  However, if transport mode is to be
   applied, then these implementations MUST reassemble the fragments
   prior to applying IPsec.

-----

-Sami

References:

Re: tunnle mode SAs...

From: Yuri Poeluev <ypoeluev@certicom.com>

Prev by Date: Re: tunnle mode SAs...
Next by Date: RE: tunnel mode SAs...
Prev by thread: Re: tunnle mode SAs...
Next by thread: Re: tunnle mode SAs...
Index(es):
- Main
- Thread