[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Problem about reassembly and fragmentation
At 06:11 AM 3/11/02 , Stephen Kent wrote:
>
> [I]n transport mode, the packets received by an IPsec implementation for
> outbound processing ought not be fragments, otherwise the implementation has
> to assemble them before applying IPsec. In tunnel mode, the IPsec
> implementation may receive fragments for outbound processing. In either
> case, the addition of the IPsec headers may require exceed the MTU for the
> outbound interface, so the "outer" header (the only header for transport
> mode) may exhibit fragmentation. I'd like to push for mandatory use of PMTU
> and thus an ability to avoid the need to fragment, and perhaps avoid the need
> to perform reassembly at the receiver, to remove this means of DoS attacks
> against receivers.
While I appreciate your trying to allow a security gateway to avoid
fragmentation, I doubt that it will always be practical in IPv4. I have seen
networks where either:
- The end application is too stupid to understand PMTU
- There's a firewall between the security gateway and the end system which
drops all ICMP messages
In either of these cases, PMTU doesn't work. And hence, we're either going to
stop supporting those legacy networks, or we're just going to allow security
gateways to fragment anyways.
--
scott