IPSec transport mode, mtu, fragmentation...

Patrick M. Hausen hausen at punkt.de
Mon Dec 23 12:02:36 UTC 2019

Hi all,

> Am 23.12.2019 um 12:28 schrieb Andrey V. Elsukov <bu7cher at yandex.ru>:
> "If required, IP fragmentation occurs after IPsec processing within an
>  IPsec implementation. Thus, transport mode AH or ESP is applied only
> to whole IP datagrams (not to IP fragments)."
> This is exactly how it works now. IPsec does encryption and passes ESP
> packet to IP stack, then it can be fragmented if it is allowed (i.e. no
> DF bit set).
> "An IP packet to which AH or ESP has been applied may itself be
> fragmented by routers en route, and such fragments MUST be reassembled
> prior to IPsec processing at a receiver."
> If fragmentation was allowed at previous step, the receiver will have
> several fragments that will be reassembled into single ESP packet, and
> then it will be decrypted and passed to IP stack. I.e. IPsec will not
> try to decrypt each fragment before reassembly.

I'm with Andrey on this one. Shouldn't the encryption and encapsulation
layer send back a "fragmentation needed but DF set" ICMP to the sender?

It surely would if

- the system was a router
- the traffic was passing through the box instead of originating locally
- the SA was in in tunnel mode or
- there was an interface for the encrypted connection with lower MTU

Looks like an oversight for transport mode and locally originating traffic to me.

Kind regards,
punkt.de GmbH
Patrick M. Hausen

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500

info at punkt.de

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein

More information about the freebsd-net mailing list