[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about reassembly and fragmentation
At 9:16 AM -0800 3/8/02, Scott Fluhrer wrote:
>At 07:50 AM 3/8/02 , Paul Koning wrote:
>>Excerpt of message (sent 7 March 2002) by Scott Fluhrer:
>>> At 09:28 PM 3/7/02 , Nagendra B.S wrote:
>>> >As per RFC [2401], all fragmented packets should be reassembled before
>>> >applying IPSEC.
>>>
>>> How do you come to that conclusion? The text reads:
>>>
>>> In tunnel mode, AH or ESP is applied to an
>>> IP packet, the payload of which may be a fragmented IP packet. For
>>> example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
>>> in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
>>> such fragments.
>>>
>>> It would appear to state that if you are using tunnel mode, you can
>>> encrypt fragments.
>>
>>I think the mixup is between encryption and decryption. You can
>>encrypt any IP packet individually -- that includes packets which are
>>fragments.
>
>Obnit: you can encrypt fragments in tunnel mode. In transport mode,
>you can only encrypt unfragmented packets, and so you must reassemble
>(or drop) if you get fragments. And yes, there are IPSec
>implementations where you could possibly see fragments that need to be
>encrypted using transport mode.
RFC 2401 states that transport mode is to be used only between
endpoints, and that the next layer protocol is typically a transport
layer protocol, apropos the mode name. In what circumstances do you
see fragments (hence another IP header) being encapsulated in
transport mode? L2TP?
Steve