[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Problem about reassembly and fragmentation

To: "Hu, Shicai" <shicai@cryptek.com>, Stephen Kent <kent@bbn.com>, Scott Fluhrer <sfluhrer@cisco.com>
Subject: RE: Problem about reassembly and fragmentation
From: "Parn, William" <parn@cryptek.com>
Date: Tue, 12 Mar 2002 08:30:44 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Shicai I think the keyword Steve brings up is to
minimize where possible fragmentation by using PMTU.
There will still be situations (applications) where 
it is not possible to completely get rid of 
fragmentation altogether.

> -----Original Message-----
> From: Hu, Shicai [mailto:shicai@cryptek.com]
> Sent: Monday, March 11, 2002 4:03 PM
> To: Stephen Kent; Scott Fluhrer
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Problem about reassembly and fragmentation
> 
> 
> PMTU only applies in the case of DF bit set, right?
> 
> Why some application layer like NFS wants to send very large 
> packets: NFS
> version 2 can
> 
> send 8K size per message flow, NFS version 3 can send 32K 
> bytes per message
> flow. How PMTU
> 
> can handle this kind of cases?
> 
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Monday, March 11, 2002 11:58 AM
> To: Scott Fluhrer
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Problem about reassembly and fragmentation
> 
> 
> At 8:02 AM -0800 3/11/02, Scott Fluhrer wrote:
> >At 06:11 AM 3/11/02 , Stephen Kent wrote:
> >>
> >>  [I]n transport mode, the packets received by an IPsec 
> implementation for
> >>  outbound processing ought not be fragments, otherwise the 
> implementation
> has
> >>  to assemble them before applying IPsec. In tunnel mode, the IPsec
> >>  implementation may receive fragments for outbound 
> processing.  In either
> >>  case, the addition of the IPsec headers may require 
> exceed the MTU for
> the
> >>  outbound interface, so the "outer" header (the only 
> header for transport
> >>  mode) may exhibit fragmentation. I'd like to push for 
> mandatory use of
> PMTU
> >>  and thus an ability to avoid the need to fragment, and perhaps 
> >>avoid the need
> >>  to perform reassembly at the receiver, to remove this means of DoS
> attacks
> >>  against receivers.
> >
> >
> >While I appreciate your trying to allow a security gateway to avoid
> >fragmentation, I doubt that it will always be practical in 
> IPv4.  I have
> seen
> >networks where either:
> >
> >- The end application is too stupid to understand PMTU
> >- There's a firewall between the security gateway and the 
> end system which
> >drops all ICMP messages
> >
> >In either of these cases, PMTU doesn't work.  And hence, 
> we're either going
> to
> >stop supporting those legacy networks, or we're just going to allow
> security
> >gateways to fragment anyways.
> >
> >--
> >scott
> 
> Scott,
> 
> I'm surprised that there are many OS instances today (it's not an 
> application issue, right?) that still don't respond to PMTU.
> 
> As for the firewall problem, there is a complementary issue, 
> firewalls and NAT devices that drop fragments, because they can't 
> look at port fields.  We had a report at the last meeting of 
> experience with NAT devices dropping fragments, which was causing 
> problems for the UDP encapsulation strategy. Thus we may have 
> problems in both cases and I'd argue for an approach that emphasizes 
> MTU-based solutions to these problems, and a minimization of 
> fragmentation on both sides of an IPsec implementation.
> 
> Steve
>

Prev by Date: Lack of error descriptions for Phase 1 in IKEv2
Next by Date: RE: Remove SHOULD for elliptic curve groups in IKEv2
Prev by thread: RE: Problem about reassembly and fragmentation
Next by thread: Call for agenda items
Index(es):
- Date
- Thread