[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem about reassembly and fragmentation



At 10:02 AM 3/8/2002, Stephen Kent wrote:
>At 9:16 AM -0800 3/8/02, Scott Fluhrer wrote:
>>At 07:50 AM 3/8/02 , Paul Koning wrote:
>>>Excerpt of message (sent 7 March 2002) by Scott Fluhrer:
>>>>  At 09:28 PM 3/7/02 , Nagendra B.S wrote:
>>>>  >As per RFC [2401], all fragmented packets should be reassembled  before
>>>>  >applying IPSEC.
>>>>
>>>>  How do you come to that conclusion?  The text reads:
>>>>
>>>>     In tunnel mode, AH or ESP is applied to an
>>>>     IP packet, the payload of which may be a fragmented IP packet.  For
>>>>     example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
>>>>     in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
>>>>     such fragments.
>>>>
>>>>  It would appear to state that if you are using tunnel mode, you can
>>>>  encrypt fragments.
>>>
>>>I think the mixup is between encryption and decryption.  You can
>>>encrypt any IP packet individually -- that includes packets which are
>>>fragments.
>>
>>Obnit: you can encrypt fragments in tunnel mode.  In transport mode,
>>you can only encrypt unfragmented packets, and so you must reassemble
>>(or drop) if you get fragments.  And yes, there are IPSec
>>implementations where you could possibly see fragments that need to be
>>encrypted using transport mode.
>
>RFC 2401 states that transport mode is to be used only between endpoints, 
>and that the next layer protocol is typically a transport layer protocol, 
>apropos the mode name.  In what circumstances do you see fragments (hence 
>another IP header) being encapsulated in transport mode? L2TP?

The implementation I'm thinking about acts as a BITW in front of a specific 
end point (IP address), and intercepts all traffic to/from the end point, 
and encrypts/decrypts traffic on behalf of the end point.  The BITW itself 
doesn't have an IP address, and so it borrows the end point's.  To anything 
past the BITW, the BITW and the endpoint appear to be one unit that does 
(among other things) IPSec.  And so, if the end point sends fragments with 
itself as the source IP address, then the BITW may decide to encrypt them, 
and if the SA it selects happens to be in transport mode, well, we're in 
exactly the scenario I eluded to above...


>Steve