[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reassembly and Fragmentation - detailed Question

To: Nir Selickter <nir_selickter@xxxxxxxxxx>
Subject: Re: Reassembly and Fragmentation - detailed Question
From: rohit <rohit@xxxxxxxxxxxx>
Date: Wed, 29 Mar 2000 15:54:07 -0600
Cc: IPSEC <ipsec@xxxxxxxxxxxxxxxxx>
Organization: Motorola
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

> Question:
> 
> What actually will happen in S.G A :
> 
> 1. Should the IP layer at S.G A reassembly al the 5000 bytes before it pass
> it up to AH and ESP processing ?

No It should not do that.. IPSEC Outbound processing shouldbe applied
separately on each of the 1500 bytes packet. Here a lot depends on the
selectors you use for selecting the Security Policy to apply.

> 2. If 1 is true, Now the AH and ESP add 50- 100 bytes. Now we got datagram
> of ~5100 bytes
> 3. If the Wan connection S.G A has MTU of 1000, should the IPSec fragment
> the packet before it pass it to the IP or should the IP fragment the packet
> ?
IP Layer can take care of fragmenting the packet..

> ( 6 fragment 1000 + 1000 + 1000 +1000 + 1000 + 100 ? )
> 4. Suppose that in the Internet the packets pass via some path with 512 MTU
> , hence the 1000 bytes packets cut again to 512 and 488 bytes.

> 5. Finally the packets reach S.G B and it should pass after processing to
> Host B.
IMHO, SG.B's inbound security processing can do one reassembly before
doing the deauthentication and decrypting the inbound packet.. 

Hope it helps..
-Rohit

-- 
Rohit V. Aradhya

References:
- Reassembly and Fragmentation - detailed Question
  - From: Nir Selickter

Prev by Date: RE: Reassembly and Fragmentation - detailed Question
Next by Date: RE: Heartbeats draft (fwd)
Previous by thread: Reassembly and Fragmentation - detailed Question
Next by thread: RE: Reassembly and Fragmentation - detailed Question
Index(es):
- Date
- Thread