IPsec and Fragmentation
Karen Heron <heron@us.ibm.com> Mon, 06 July 1998 13:42 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA08628 for ipsec-outgoing; Mon, 6 Jul 1998 09:42:50 -0400 (EDT)
From: Karen Heron <heron@us.ibm.com>
To: ipsec@tis.com
Subject: IPsec and Fragmentation
Message-ID: <5040300017909679000002L092*@MHS>
Date: Mon, 06 Jul 1998 09:56:05 -0400
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
In draft-ietf-ipsec-arch-sec-05, AppendixB, section B.2, Fragmentation, it states that "Fragmentation MUST be done after outbound IPsec processing." I am seeing a problem when doing this. I have the following setup: +--------------------------------------------------------+ H1---|----MTU=2000-----RTR------MTU=1280------|------SG1-----MTU=1500-----H2 +--------------------------------------------------------+ SA, tunnel mode H1, H2 - hosts RTR - intermediate router in the secure tunnel SG1 - security gateway What I've tried to show is a tunnel mode SA between H1 and SG1 that will secure packets from H1 to H2. The MTU in the tunnel will be 1280. Here's what I see happening: 1. H1 sends 1800 bytes to H2. It is secured (it has an outer header) and sent into the tunnel. 2. A packet too big is sent back from RTR with an MTU of 1280. 3. H1 sends 1800 bytes to H2. It is secured and has an outer header from H1 to SG1. It is fragmented and sent into the tunnel. 4. SG1 receives the fragments and reassembles. 5. SG1 de-capsulates the packet and attempts to forward to H2. 6. This fails since the packet is 1800 bytes and the MTU on the output net for SG1 is 1500 bytes. Have I implemented something incorrectly? It appears that I am following the architecture for H1 (i.e., securing and then fragmenting), but I don't see how I can get these large packets to H2 unless I fragment and then secure in H1. Any help would be appreciated. By the way, my example is for IPv6 (no fragmentation allowed by intermediate routers) although the same problem exists for IPv4 with the DF bit set in the inner and outer headers. Karen Heron Router Development IBM, RTP, NC
- IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Dan McDonald
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Dan McDonald
- Re: IPsec and Fragmentation M.C.Nelson
- Re: IPsec and Fragmentation C. Harald Koch
- Re: IPsec and Fragmentation Michael C. Richardson
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Len Samuelson