[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about reassembly and fragmentation
Title: Re: Problem about reassembly and
fragmentation
At 10:32 AM -0800 3/8/02, Scott Fluhrer wrote:
Obnit: you can encrypt fragments in tunnel mode. In transport
mode,
you can only encrypt unfragmented packets, and so you must
reassemble
(or drop) if you get fragments. And yes, there are IPSec
implementations where you could possibly see fragments that need to
be
encrypted using transport mode.
RFC 2401 states that transport mode is to be used only between
endpoints, and that the next layer protocol is typically a transport
layer protocol, apropos the mode name. In what circumstances do
you see fragments (hence another IP header) being encapsulated in
transport mode? L2TP?
The implementation I'm thinking about acts as a BITW in front of a
specific end point (IP address), and intercepts all traffic to/from
the end point, and encrypts/decrypts traffic on behalf of the end
point. The BITW itself doesn't have an IP address, and so it
borrows the end point's. To anything past the BITW, the BITW and
the endpoint appear to be one unit that does (among other things)
IPSec. And so, if the end point sends fragments with itself as
the source IP address, then the BITW may decide to encrypt them, and
if the SA it selects happens to be in transport mode, well, we're in
exactly the scenario I eluded to above...
Steve
Scott,
Note the following from 2401 (Appendix B), with my application
of bold text:
B.2
Fragmentation
If required, IP fragmentation occurs after IPsec
processing within an
IPsec
implementation. Thus, transport mode AH or ESP is applied
only
to
whole IP datagrams (not to IP fragments). An IP packet to
which
AH or ESP has been applied may itself be fragmented by
routers en
route, and such fragments MUST be reassembled prior to
IPsec
processing at a receiver. In tunnel mode, AH or ESP
is applied to an
IP
packet, the payload of which may be a fragmented IP packet.
For
example, a security gateway, "bump-in-the-stack"
(BITS), or "bump-
in-the-wire" (BITW) IPsec implementation may apply
tunnel mode AH to
such
fragments. Note that BITS or BITW implementations are
examples
of where a host IPsec implementation might receive
fragments to which
tunnel mode is to be applied. However, if transport mode is to
be
applied, then these implementations MUST reassemble the
fragments
prior to applying IPsec.
Steve