[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Stephen Kent <kent@bbn.com>
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Tero Kivinen <kivinen@iki.fi>
Date: Sat, 21 Feb 2004 00:16:14 +0200
Cc: Nicolas Williams <Nicolas.Williams@sun.com>, Charles Lynn <clynn@bbn.com>, ipsec@lists.tislabs.com
In-reply-to: <p06020412bc5c0ba2452b@[128.89.89.75]>
References: <16434.27900.199285.136682@fireball.acr.fi><20040218161436.9707F2051E@wolfe.bbn.com><16435.55623.26827.859229@fireball.acr.fi><p06020402bc59945d05cd@[128.89.89.75]><16438.958.625838.937789@fireball.acr.fi><p06020403bc5bcc947dc8@[128.89.89.75]><20040220175458.GC6177@binky.central.sun.com><p06020412bc5c0ba2452b@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> >Or just drop non-initial fragments arriving before their corresponding
> >initial fragments (or so much later that the corresponding initial
> >fragments have fallen off the cache).
> >
> >IP can lose packets.  Sometimes it's good to excercise this feature.
> 
> yes, sometimes taking advantage of this "feature" can make our lives 
> easier as designers ;-)

Yes, but as vendors shipping code, it would be quite unacceptable to
tell that sorry, any linux n.y box you have in the network cannot get
any fragmented packets through your SGW. Some linux kernel versions
used to send all fragments in reverse order, meaning that for all
fragmented packets all the other fragments than the non-first would be
dropped. 

> >In transport mode scenarios (IPv4) this doesn't apply either since the
...
> In a BITS implementation the host could have fragmented prior to 
> IPsec receiving the packet, but one would certainly expect that the 
> first fragment would arrive at the BITS first in that case.

I think you have no other way than to reassemble the packet in those
cases. The rfc2401 and rfc2401bis both say that you cannot apply IPsec
using transport mode to IPv4 packets that are fragments. I.e. if the
BITS implementation receives a fragmented packet and the SA is in
transport mode, it must first reassemble the packet, then apply IPsec
and then fragment the packet again. 
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>

References:
- Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Charles Lynn <clynn@bbn.com>
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: RE: Traffic Selectors (was SA fragments)
Previous by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread