RE: Problem about reassembly and fragmentation

[Stephen Kent <kent@bbn.com>]

Title: RE: Problem about reassembly and fragmentation

At 1:09 PM -0800 3/9/02, Prasad, Rajendra wrote:

> As I have understood, Outermost IP header should not
> have fragments for encryption or decryption.
>  
> While Encrypting - In transport mode - NO fragments
> (if fragmented drop it). In tunnel mode, inner IP header may have
> fragmentation but outer IP header is not. After encrypting the packet
> you may do fragmentation.
>  
> While Decrypting- If the packet is fragmented, it
> should be reassembled first before decryption.

Slightly odd wording here, but mostly correct.  yes, in transport mode, the packets received by an IPsec implementation for outbound processing ought not be fragments, otherwise the implementation has to assemble them before applying IPsec. In tunnel mode, the IPsec implementation may receive fragments for outbound processing.  In either case, the addition of the IPsec headers may require exceed the MTU for the outbound interface, so the "outer" header (the only header for transport mode) may exhibit fragmentation. I'd like to push for mandatory use of PMTU and thus an ability to avoid the need to fragment, and perhaps avoid the need to perform reassembly at the receiver, to remove this means of DoS attacks against receivers.

Steve