[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues




IPSEC:ing fragments? First, I really don't like the idea. But, anyway
a comment to

> From: Tero Kivinen <kivinen@iki.fi>
> So we are now only talking about tunnel mode.

In theory one could apply IPSEC to IPv6 fragments in transport
mode. However, it's technically impossible to apply IPSEC to IPv4
fragments, except by tunneling (think, where do you put the fragment
offset and M-bit, and how the receiver would work?).

I would prefer, that if IPSEC tunneling fragments is a MUST, only the
support for address selectors would be required by IPSEC.

And I would still disallow applying transport mode IPSEC to IPv6
fragments, even if it technically might be possible (need to look into
this, it would be somewhat weird path in my implementation, probably
will not work at all).