[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem about reassembly and fragmentation

To: Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: Problem about reassembly and fragmentation
From: Stephen Kent <kent@bbn.com>
Date: Fri, 8 Mar 2002 14:44:09 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <4.3.2.7.2.20020308102455.035a2008@mira-sjcm-3.cisco.com>
References: <200203081710.ADY35684@mira-sjcm-3.cisco.com><000d01c1c639$7e45be60$1e72788a@ca.alcatel.com><010c01c1c653$0ba6f1c0$8800a8c0@xujia319><200203080634.ADY27396@mira-sjcm-3.cisco.com><200203081710.ADY35684@mira-sjcm-3.cisco.com><4.3.2.7.2.20020308102455.035a2008@mira-sjcm-3.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Title: Re: Problem about reassembly and fragmentation

At 10:32 AM -0800 3/8/02, Scott Fluhrer wrote:

Obnit: you can encrypt fragments in tunnel mode. In transport mode,
you can only encrypt unfragmented packets, and so you must reassemble
(or drop) if you get fragments. And yes, there are IPSec
implementations where you could possibly see fragments that need to be
encrypted using transport mode.

RFC 2401 states that transport mode is to be used only between endpoints, and that the next layer protocol is typically a transport layer protocol, apropos the mode name. In what circumstances do you see fragments (hence another IP header) being encapsulated in transport mode? L2TP?

The implementation I'm thinking about acts as a BITW in front of a specific end point (IP address), and intercepts all traffic to/from the end point, and encrypts/decrypts traffic on behalf of the end point. The BITW itself doesn't have an IP address, and so it borrows the end point's. To anything past the BITW, the BITW and the endpoint appear to be one unit that does (among other things) IPSec. And so, if the end point sends fragments with itself as the source IP address, then the BITW may decide to encrypt them, and if the SA it selects happens to be in transport mode, well, we're in exactly the scenario I eluded to above...

Steve

Scott,

Note the following from 2401 (Appendix B), with my application of bold text:

B.2 Fragmentation

If required, IP fragmentation occurs after IPsec processing within an

IPsec implementation. Thus, transport mode AH or ESP is applied only

   to whole IP datagrams (not to IP fragments). An IP packet to which
   AH or ESP has been applied may itself be fragmented by routers en
   route, and such fragments MUST be reassembled prior to IPsec
   processing at a receiver. In tunnel mode, AH or ESP is applied to an

   IP packet, the payload of which may be a fragmented IP packet. For
   example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
   in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to

such fragments. Note that BITS or BITW implementations are examples
of where a host IPsec implementation might receive fragments to which

   tunnel mode is to be applied. However, if transport mode is to be
   applied, then these implementations MUST reassemble the fragments
   prior to applying IPsec.

Steve

Follow-Ups:
- Re: Problem about reassembly and fragmentation
  - From: Scott Fluhrer <sfluhrer@cisco.com>

References:
- Re: Problem about reassembly and fragmentation
  - From: Scott Fluhrer <sfluhrer@cisco.com>
- RE: Choosing between IKEv2 and JFK
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
- Problem about reassembly and fragmentation
  - From: "Jia Xu" <xujia@is.ac.cn>
- Re: Problem about reassembly and fragmentation
  - From: Scott Fluhrer <sfluhrer@cisco.com>
- Re: Problem about reassembly and fragmentation
  - From: Scott Fluhrer <sfluhrer@cisco.com>

Prev by Date: Re: Problem about reassembly and fragmentation
Next by Date: RE: Problem about reassembly and fragmentation
Prev by thread: Re: Problem about reassembly and fragmentation
Next by thread: Re: Problem about reassembly and fragmentation
Index(es):
- Date
- Thread