[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Fragmentation of IPv6 tunneled packets




Hi,

I am going through fragmentation issues in IPv6 and there is one question 
that I would like to ask. Lets assume that host A sends 5KB UDP
packet to host B and uses IPSec tunnel via SGW C. In this case 
IPSec implementation in host A receives full 5KB UDP packet,
encrypts the packet (IPSec ESP tunnel) and then fragments it to several fragments
and send the fragments to SGW C. SGW C reassembles fragments, decrypts
IPSec ESP and tries to forward original 5KB UDP packet to host B. 
But if IPv6 is used in this scenario, SGW C is not allowed to fragment 
the UDP packet, but it should send ICMP "packet too big" to host A. 

As general rule it seems to be that packet should be first IPSec protected
and then fragmented, but in this case it seems to lead to problems. 

So should the SGW fragment the packet and forward the fragments to host B
or should the host A fragment packet before doing IPSec tunnel to it?


Mika


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec