Re: SAs that carry fragments Was: Re: Some IKEv2 issues

[Stephen Kent <kent@xxxxxxx>]

At 17:39 +0200 2/20/04, Markku Savela wrote:
> IPSEC:ing fragments? First, I really don't like the idea. But, anyway
> a comment to

the need to support tunneling of fragments has been in IPsec for 5+ 
years. this is not a new issue. it is an issue that we are trying to 
address in a uniform way.

> >  From: Tero Kivinen <kivinen@xxxxxx>
> >  So we are now only talking about tunnel mode.
>
> In theory one could apply IPSEC to IPv6 fragments in transport
> mode. However, it's technically impossible to apply IPSEC to IPv4
> fragments, except by tunneling (think, where do you put the fragment
> offset and M-bit, and how the receiver would work?).
>
> I would prefer, that if IPSEC tunneling fragments is a MUST, only the
> support for address selectors would be required by IPSEC.

yes, it is a MUST. one can choose to configure SA so that only 
addresses (or addresses and protocol) are examined and the ports are 
OPAQUE.  2401 allows that already and it should work today. but that 
leaves an awkward gap when ports are not OPAQUE and fragmentation 
occurs. we were approached by a vendor who wanted to have a 
well-defined, standard way to accommodate this, over a year ago, and 
that motivated the "carry all fragments between two sites in one 
tunnel" model. the WG rejected that model, but that does not make the 
issue go away, and since a vendor asked for this, I think it is fair 
to say that at least some users want the combination to work.

> And I would still disallow applying transport mode IPSEC to IPv6
> fragments, even if it technically might be possible (need to look into
> this, it would be somewhat weird path in my implementation, probably
> will not work at all).

I'll let Charlie Lynn  address the vagaries of v6 fragmentation.

Steve