Re: IKE negotiation for fragmentation controls in IPsec

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Stephen Kent <kent@bbn.com>

> IPsec has always been applied to fragments that arrive at an SG, or 
> in the case of IPv6, that are emitted by a host internally.
> 
> >Previously SG had to assemble the packets before doing IPSEC.
> 
> could you remind me of where we said that in 2401?

Hmm.. I could have sworn it was said somewhere. But, I guess my mind
is just playing tricks, by deducing that by implication: if you must
implement port (or transport protocol in Ipv6) selector, you must
assemble full packet anyway (at at least potentially buffer all
fragments, because there have been systems that send fragments in
reverse order even!)

Concerning the change text...

>   By sending this notification the sender announces that it
>   will always fragment packets before encapsulating them to
>   the IPsec packets, i.e the recipient of this notification
>   MAY drop all fragmented IPSec packets, as they are not
>   generated by the other end.

The last sentence may cause black hole. The sender cannot guarantee
that some router on the way does not fragment IPSec packet, unless the
above also implies that sender must set DF bit on IPv4 header? Right?

Naturally, for IPv6 this is not the issue.

As for DOS attacks with fragments, I don't see anything that relates
directly to IPsec. All fragmentation attacks are just fragmentation
attacts, regardless whether IPsec is present or not.

The only issue that could be mentioned is: if framents are IPseced, a
firewall doing something with fragments doesn't see them as fragments
(both IPv4 and IPv6).