Fragmentation, Inbound processing
"David W. Faucher" <dfaucher@lucent.com> Mon, 10 August 1998 18:43 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA23264 for ipsec-outgoing; Mon, 10 Aug 1998 14:43:29 -0400 (EDT)
Message-Id: <35CF4360.C63141DC@lucent.com>
Date: Mon, 10 Aug 1998 14:00:48 -0500
From: "David W. Faucher" <dfaucher@lucent.com>
Organization: Lucent Technologies
X-Mailer: Mozilla 4.03 [en] (WinNT; U)
Mime-Version: 1.0
To: ipsec@tis.com
Subject: Fragmentation, Inbound processing
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Section 4.1 of draft-ietf-ipsec-arch-sec-07.txt states: [snip] The requirement for any (transit traffic) SA involving a security gateway to be a tunnel SA arises due to the need to avoid potential problems with regard to fragmentation and reassembly of IPsec packets, and in circumstances where multiple paths (e.g., via different security gateways) exist to the same destination behind the security gateways. Could someone elaborate on what exactly are the "potential problems" or point me to a document explaining them? Section 4.4.2 of draft-ietf-ipsec-arch-sec-07.txt states: [snip] If the packet has been fragmented, then the port information may not be available in the current fragment. If so, discard the fragment. An ICMP PMTU should be sent for the first fragment, which will have the port information. [MAY be supported] I am confused by the discard fragment action. If security gateways can apply IPsec to an IP packet whose payload may be an IP fragment then why would we discard the fragment? Section 5.2.1 of draft-ietf-ipsec-arch-sec-07.txt states: [snip] NOTE: The correct "matching" policy will not necessarily be the first inbound policy found. The SPD is an ordered list of entries. If the correct matching policy was not the first inbound policy found wouldn't that imply that the SPD is not really ordered? Or, am I missing something? thanks -- David W. Faucher Lucent Technologies - Bell Labs dfaucher@lucent.com
- Fragmentation, Inbound processing David W. Faucher