[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about reassembly and fragmentation
As per RFC 2661, all fragmented packets should be reassembled before
applying IPSEC.
>From RFC 2401
Appendix B -- Analysis/Discussion of PMTU/DF/Fragmentation Issues
B.2 Fragmentation
If required, IP fragmentation occurs after IPsec processing within an
IPsec implementation. Thus, transport mode AH or ESP is applied only
to whole IP datagrams (not to IP fragments). An IP packet to which
AH or ESP has been applied may itself be fragmented by routers en
route, and such fragments MUST be reassembled prior to IPsec
processing at a receiver. In tunnel mode, AH or ESP is applied to an
IP packet, the payload of which may be a fragmented IP packet. For
example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
such fragments. Note that BITS or BITW implementations are examples
of where a host IPsec implementation might receive fragments to which
tunnel mode is to be applied. However, if transport mode is to be
applied, then these implementations MUST reassemble the fragments
prior to applying IPsec.
-Nagendra
Jia Xu wrote:
>
> Dear all,
>
> I have a question about implementing IPSec by Bump-In-The-Wire approach. When I received IP fragments, can I directly apply IPSec transform on them individually, or should I first reassemble them into an integrated IP datagram?
>
> Thanks,
> Jia Xu
--
------------------------------------------------------------------------
Nagendra B.S nbs@lucent.com
Infosys - India Phone Office : 91-80-8520261 xtn : 6566
------------------------------------------------------------------------