[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about reassembly and fragmentation
At 07:50 AM 3/8/02 , Paul Koning wrote:
>Excerpt of message (sent 7 March 2002) by Scott Fluhrer:
>> At 09:28 PM 3/7/02 , Nagendra B.S wrote:
>> >As per RFC [2401], all fragmented packets should be reassembled before
>> >applying IPSEC.
>>
>> How do you come to that conclusion? The text reads:
>>
>> In tunnel mode, AH or ESP is applied to an
>> IP packet, the payload of which may be a fragmented IP packet. For
>> example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
>> in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
>> such fragments.
>>
>> It would appear to state that if you are using tunnel mode, you can
>> encrypt fragments.
>
>I think the mixup is between encryption and decryption. You can
>encrypt any IP packet individually -- that includes packets which are
>fragments.
Obnit: you can encrypt fragments in tunnel mode. In transport mode,
you can only encrypt unfragmented packets, and so you must reassemble
(or drop) if you get fragments. And yes, there are IPSec
implementations where you could possibly see fragments that need to be
encrypted using transport mode.
>
>If the network has fragmented packets after IPsec has done its thing,
>i.e., the outer header indicates fragmentation, then you must
>reassemble at that level before decrypting.
>
> paul
>