Re: IPsec and Fragmentation
Karen Heron <heron@us.ibm.com> Tue, 07 July 1998 11:15 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA12790 for ipsec-outgoing; Tue, 7 Jul 1998 07:15:23 -0400 (EDT)
From: Karen Heron <heron@us.ibm.com>
To: kent@bbn.com
Cc: ipsec@tis.com, danmcd@Eng.Sun.Com
Subject: Re: IPsec and Fragmentation
Message-ID: <5040300017945831000002L012*@MHS>
Date: Tue, 07 Jul 1998 07:28:44 -0400
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> Dan and Karen, > > Section 3.2.5 of the architecture document states that transport mode is > always applied to whole IP datagrams, but that tunnel mode may be applied > to packet fragments. This was motivated by the need to accommodate > security gateways, and BITS, BITW implementations, but you can legitimately > apply tunnel mode processing in this fashion in your host to make matching > of MTU info to the headers easier. The IPsec receiver at H2 does not know > whether you have a BITS or BITW implementation vs. a native implementation, > so it must be prepared to accept encapsulated fragments in tunnel mode. > > Steve Thanks for the clarification. (However, I'm having trouble finding section 3.2.5 in my copy of the architecture doc (draft-ietf-ipsec-arch-sec-05)). But I believe that the statement in Appendix B, section B.2, "Fragmentation MUST be done after outbound IPsec processing." is incorrect. In fact, for a tunnel mode SA on a host, fragmentation must be done before IPsec processing to make PMTU discovery work, correct? Karen Heron Router Development IBM, RTP, NC
- IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Dan McDonald
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Dan McDonald
- Re: IPsec and Fragmentation M.C.Nelson
- Re: IPsec and Fragmentation C. Harald Koch
- Re: IPsec and Fragmentation Michael C. Richardson
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Karen Heron
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Stephen Kent
- Re: IPsec and Fragmentation Len Samuelson