Re: IKE negotiation for fragmentation controls in IPsec

["Srinivasa Rao Addepalli" <srao@intotoinc.com>]

> >       Outbound Processing steps:
> >              - Reassemble the packet (Packet coming from trusted network).
> 
> NO. there is no implied reassembly by the transmitter.
> 
> I won't comment on the rest of your message since this assumption was 
> not right and it may influence later parts of your message.
>
 
I am curious on why this is not needed.
IPSEC SPD supports selector space with not only IP addresses, but also
with TCP/UDP port values. If some sort of reassembling is not done(either wait
for all fragments OR maintain reassembly state with IP ID, SIP, DIP), there
is possibility of mapping the non-first fragments of the packets to the wrong
security policy. Only first fragment has TCP/UDP information and it chooses
the correct security policy. 

Complete IP reassembling helps in finding out obvious DoS attacks and
helps in reducing  the number of encapsulated IPSEC packets.

Srini