RE: Problem about reassembly and fragmentation

["Joseph Tardo" <jtardo@broadcom.com>]

What if you are supporting port policies? Don't you need the transport
header to verify policy on the decrypted fragments?

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
Sent: Friday, March 08, 2002 7:51 AM
To: sfluhrer@cisco.com
Cc: nbs@lucent.com; xujia@is.ac.cn; ipsec@lists.tislabs.com
Subject: Re: Problem about reassembly and fragmentation


Excerpt of message (sent 7 March 2002) by Scott Fluhrer:
 > At 09:28 PM 3/7/02 , Nagendra B.S wrote:
 > >As per RFC [2401], all fragmented packets should be reassembled  before
 > >applying IPSEC.
 >
 > How do you come to that conclusion?  The text reads:
 >
 >    In tunnel mode, AH or ESP is applied to an
 >    IP packet, the payload of which may be a fragmented IP packet.  For
 >    example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
 >    in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
 >    such fragments.
 >
 > It would appear to state that if you are using tunnel mode, you can
 > encrypt fragments.

I think the mixup is between encryption and decryption.  You can
encrypt any IP packet individually -- that includes packets which are
fragments.

If the network has fragmented packets after IPsec has done its thing,
i.e., the outer header indicates fragmentation, then you must
reassemble at that level before decrypting.

	   paul