IETF Logo Mail Archive

Re: IPsec and Fragmentation

Karen Heron <heron@us.ibm.com> Tue, 07 July 1998 11:15 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA12790 for ipsec-outgoing; Tue, 7 Jul 1998 07:15:23 -0400 (EDT)
From: Karen Heron <heron@us.ibm.com>
To: kent@bbn.com
Cc: ipsec@tis.com, danmcd@Eng.Sun.Com
Subject: Re: IPsec and Fragmentation
Message-ID: <5040300017945831000002L012*@MHS>
Date: Tue, 07 Jul 1998 07:28:44 -0400
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk


> Dan and Karen,
>
> Section 3.2.5 of the architecture document states that transport mode is
> always applied to whole IP datagrams, but that tunnel mode may be applied
> to packet fragments.  This was motivated by the need to accommodate
> security gateways, and BITS, BITW implementations, but you can legitimately
> apply tunnel mode processing in this fashion in your host to make matching
> of MTU info to the headers easier.  The IPsec receiver at H2 does not know
> whether you have a BITS or BITW implementation vs. a native implementation,
> so it must be prepared to accept encapsulated fragments in tunnel mode.
>
> Steve

Thanks for the clarification. (However, I'm having trouble finding section
3.2.5 in my copy of the architecture doc (draft-ietf-ipsec-arch-sec-05)).  But
I believe that the statement in Appendix B, section B.2, "Fragmentation MUST
be done after outbound IPsec processing." is incorrect.  In fact, for a tunnel
mode SA on a host, fragmentation must be done before IPsec processing to make
PMTU discovery work, correct?


Karen Heron
Router Development
IBM, RTP, NC

v2.23.0 | Report a Bug | By Email