Re: ICMP and unknown extension headers?

itojun Thu, 15 Jun 2000 12:47:58 -0700


        Please do read IPsec spec first....

>Is it possible to apply ESP first and then fragment the resulting
>encrypted packet?

        that is how IPsec is specified.  on sender side, you encrypt then
        fragment.

If so, you might end up with a first fragment
>containing an ESP header and (after decryption) some partial but valid
>additional headers, and then the next fragment, after decryption,
>contains a bad header that should result in an ICMP error packet. That
>seems to make things more complicated.

        there is no need to worry about this.  on receiver side, you will 
        reassemble then decrypt.

itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Re: ICMP and unknown extension headers?

Reply via email to