Re: IKE negotiation for fragmentation controls in IPsec

[Stephen Kent <kent@bbn.com>]

At 10:36 AM -0700 6/26/03, Srinivasa Rao Addepalli wrote:
>Hi,
>   
>Imagine this scenario:
>
> 
>-----------SecurityGW1----------Router1----Router2------------SecurityGW2---
>
>As I understand from the description, once SG1 and SG2 negotiate
>and come to understanding, then SG2 can drop fragmented secured
>packets. But the routers in between can fragment the packets.
>To avoid this situation, SG1 has to set the DF bit and PMTU
>processing should be MUST in this case.  Is it right to assume that
>all core and edge routers/firewalls in Internet and enterprise support passing
>the ICMP error messages? I keep hearing that most (may be some) firewalls
>can be explicitly configured to discard ICMP error messages.
>
>Thanks
>Srini

Any statement of the form "all X in the Internet do Y" is very likely 
to be false :-)

In many (most?) current deployments, IPsec is at the perimeter of an 
organizational enclave and thus is either parallel to a firewall or 
is part of the same system as a firewall.  if an IPsec system is 
behind a firewall, then one encounters problems with getting IPsec 
traffic through, in many cases, just as one might have trouble 
getting ICMP traffic through.

Ultimately, the best solution, from a pragmatic and security 
perspective, is likely to be a means of determine PMTU that rides 
over IPsec, e.g., within a tunnel, and thus avoids the question of 
whether any intermediate routers or firewalls play the PMTU discovery 
game.  It would be possible to do that today, sending ICMP traffic 
between two IPsec implementations, encapsulated in a tunnel, if the 
SPDs at each end allow it, but we ought to consider a more formal 
specification of a mechanism going forward.

Steve