IETF Logo Mail Archive

Why can't ?

"srinivasrao.kulkarni" <srinu@trinc.com> Tue, 17 March 1998 06:46 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id BAA13329 for ipsec-outgoing; Tue, 17 Mar 1998 01:46:37 -0500 (EST)
Message-Id: <3.0.1.32.19980317094511.006bd1e0@192.9.200.10>
X-Sender: srinu@192.9.200.10
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Tue, 17 Mar 1998 09:45:11 +0500
To: ipsec@tis.com
From: "srinivasrao.kulkarni" <srinu@trinc.com>
Subject: Why can't ?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Hi All,

With respect to the draft draft-ietf-ipsec-arch-sec-04.txt

Case 3.  This case combines cases 1 and 2, adding end-to-end security
        between the sending and receiving hosts.  It imposes no new
        requirements on the hosts or security gateways, other than a
        requirement for a security gateway to be configurable to pass
        IPsec traffic (including ISAKMP traffic) for hosts behind it.

    ============================================================= 
   |                  ===SG3*=========*SG5===                    |
   |                 |                  |    |                   |
   |                 |===SG4============     |                   |
 --|-----------------|---                  --|-------------------|-- 
|  | Trusted N/W     |   |                |  |  Trusted N/W      |  |
| H1  -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2  |
|        Intranet)       |                |          Intranet)      |
 ------------------------                  ------------------------- 
   admin. boundary                            admin. boundary

Let us consider the following situation

* SG3, SG4 and SG5 are in between routers.
* SG1 and SG2 have AH/ESP tunnel.
* SG3 and SG5 have AH/ESP tunnel.
* Host H1 sends out the packet destined to H2. 
* SG1 applies IPsec and the packet get fragmented.
* First fragment reaches SG5 and then to SG2, through SG4 with out any
IPsec applied since there is no security association between SG4 and SG5.
* The rest of the fragments go through the SG3

Since IPSEC does not process fragments, the fragments in the SG3-SG5 tunnel
get dropped. Of course, if the PMTU is proper and is above the threshold
for MTU, there will not be fragments. But, in the rare case where the PMTU
is lower than the threshold or the path changes in the middle of a
transmission, there could be fragments. Is this scenario feasible, in the
first place? We think it is possible. Will these fragments be discarded? Is
it essential for them to be discarded?


Bridging the gap between hardware and software

with best wishes
 - K. SrinivasRao(email : srinu@trinc.com )

v2.29.0 | Report a Bug | By Email | System Status