Re: FAST_IPSEC fragmentation problem

To: Beverly Schwartz <bschwart%bbn.com@localhost>
Subject: Re: FAST_IPSEC fragmentation problem
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Tue, 16 Oct 2012 22:34:56 +0200

Hi,

On Tue, Oct 16, 2012 at 04:05:11PM -0400, Beverly Schwartz wrote:
> BTW, IPv6 doesn't quite run into this because it just applies source
> fragmentation to the new packet.  IPv6 should not fragment midstream,
> so this is probably not desired behavior.  However, one could argue
> that the encapsulated packet is a new packet, therefore fragmentation
> is allowed.  In my opinion, this doesn't ring true to the spirit of the
> IPv6 spec.

IPv6 says "a router must not fragment someone else's packets".  An IPSEC
device is fragmenting its own packets and (the important bit) at the
end of the tunnel, the original packet emerges unfragmented.

Whether you fragment in IPSEC tunnels, segment in ATM cells, etc. - as
long as you do not modify the original IPv6 packet, you're fine.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             
gert%greenie.muc.de@localhost
fax: +49-89-35655025                        
gert%net.informatik.tu-muenchen.de@localhost

References:
- FAST_IPSEC fragmentation problem
  - From: Beverly Schwartz

Prev by Date: FAST_IPSEC fragmentation problem
Next by Date: IPv6 tentative address and RTM_NEWADDR (again) (was: Re: error from ntpd upon IPv6 address receipt/bind)
Previous by Thread: FAST_IPSEC fragmentation problem
Next by Thread: IPv4 fragmentation and IPsec details
Indexes:

Home | Main Index | Thread Index | Old Index