IPSec transport mode, mtu, fragmentation...
Patrick M. Hausen
hausen at punkt.de
Mon Dec 23 12:02:36 UTC 2019
Hi all,
> Am 23.12.2019 um 12:28 schrieb Andrey V. Elsukov <bu7cher at yandex.ru>:
> "If required, IP fragmentation occurs after IPsec processing within an
> IPsec implementation. Thus, transport mode AH or ESP is applied only
> to whole IP datagrams (not to IP fragments)."
>
> This is exactly how it works now. IPsec does encryption and passes ESP
> packet to IP stack, then it can be fragmented if it is allowed (i.e. no
> DF bit set).
>
> "An IP packet to which AH or ESP has been applied may itself be
> fragmented by routers en route, and such fragments MUST be reassembled
> prior to IPsec processing at a receiver."
>
> If fragmentation was allowed at previous step, the receiver will have
> several fragments that will be reassembled into single ESP packet, and
> then it will be decrypted and passed to IP stack. I.e. IPsec will not
> try to decrypt each fragment before reassembly.
I'm with Andrey on this one. Shouldn't the encryption and encapsulation
layer send back a "fragmentation needed but DF set" ICMP to the sender?
It surely would if
- the system was a router
- the traffic was passing through the box instead of originating locally
- the SA was in in tunnel mode or
- there was an interface for the encrypted connection with lower MTU
Looks like an oversight for transport mode and locally originating traffic to me.
Kind regards,
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure
Kaiserallee 13a
76133 Karlsruhe
Tel. +49 721 9109500
https://infrastructure.punkt.de
info at punkt.de
AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
More information about the freebsd-net
mailing list