[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem about reassembly and fragmentation

To: Jia Xu <xujia@is.ac.cn>, ipsec@lists.tislabs.com
Subject: Re: Problem about reassembly and fragmentation
From: "Nagendra B.S" <nbs@lucent.com>
Date: Fri, 08 Mar 2002 11:00:01 +0530
References: <000d01c1c639$7e45be60$1e72788a@ca.alcatel.com> <010c01c1c653$0ba6f1c0$8800a8c0@xujia319> <3C884C0E.7688876B@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

Read as "As per RFC 2401"

-Nagendra

"Nagendra B.S" wrote:
> 
> As per RFC 2661, all fragmented packets should be reassembled  before
> applying IPSEC.
> 
> >From RFC 2401
> 
> Appendix B -- Analysis/Discussion of PMTU/DF/Fragmentation Issues
> 
> B.2 Fragmentation
> 
>    If required, IP fragmentation occurs after IPsec processing within an
>    IPsec implementation.  Thus, transport mode AH or ESP is applied only
>    to whole IP datagrams (not to IP fragments).  An IP packet to which
>    AH or ESP has been applied may itself be fragmented by routers en
>    route, and such fragments MUST be reassembled prior to IPsec
>    processing at a receiver.  In tunnel mode, AH or ESP is applied to an
>    IP packet, the payload of which may be a fragmented IP packet.  For
>    example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
>    in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
>    such fragments.  Note that BITS or BITW implementations are examples
>    of where a host IPsec implementation might receive fragments to which
>    tunnel mode is to be applied.  However, if transport mode is to be
>    applied, then these implementations MUST reassemble the fragments
>    prior to applying IPsec.
> 
> -Nagendra
> 
> Jia Xu wrote:
> >
> > Dear all,
> >
> > I have a question about implementing IPSec by Bump-In-The-Wire approach. When I received IP fragments, can I directly apply IPSec transform on them individually, or should I first reassemble them into an integrated IP datagram?
> >
> > Thanks,
> > Jia Xu
> 
> --
> ------------------------------------------------------------------------
> Nagendra B.S                    nbs@lucent.com
> Infosys - India                 Phone Office : 91-80-8520261  xtn : 6566
> ------------------------------------------------------------------------

-- 
------------------------------------------------------------------------
Nagendra B.S                    nbs@lucent.com
Infosys - India                 Phone Office : 91-80-8520261  xtn : 6566
------------------------------------------------------------------------

References:
- RE: Choosing between IKEv2 and JFK
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
- Problem about reassembly and fragmentation
  - From: "Jia Xu" <xujia@is.ac.cn>
- Re: Problem about reassembly and fragmentation
  - From: "Nagendra B.S" <nbs@lucent.com>

Prev by Date: Re: Problem about reassembly and fragmentation
Next by Date: Re: Problem about reassembly and fragmentation
Prev by thread: Re: Problem about reassembly and fragmentation
Next by thread: Re: Problem about reassembly and fragmentation
Index(es):
- Date
- Thread