tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FAST_IPSEC fragmentation problem


On Tue, Oct 16, 2012 at 04:05:11PM -0400, Beverly Schwartz wrote:
> BTW, IPv6 doesn't quite run into this because it just applies source
> fragmentation to the new packet.  IPv6 should not fragment midstream,
> so this is probably not desired behavior.  However, one could argue
> that the encapsulated packet is a new packet, therefore fragmentation
> is allowed.  In my opinion, this doesn't ring true to the spirit of the
> IPv6 spec.

IPv6 says "a router must not fragment someone else's packets".  An IPSEC
device is fragmenting its own packets and (the important bit) at the
end of the tunnel, the original packet emerges unfragmented.

Whether you fragment in IPSEC tunnels, segment in ATM cells, etc. - as
long as you do not modify the original IPv6 packet, you're fine.

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                    
fax: +49-89-35655025               

Home | Main Index | Thread Index | Old Index