Hi, RFC 4301, section 5.1 says that if pre-fragmentation is to be supported then the policy lookup has to happen on fragmented packets and the non-initial fragments will not match any policy with non-trivial ports. I've a doubt in this. After searching on the Internet for earlier results I could not find if it was discussed previously on this list nor did I find it in the RFC 4301 errata. Here's the relevant excerpt: *"Note: With the exception of IPv4 and IPv6 transport mode, an SG, BITS, or BITW implementation MAY fragment packets before applying IPsec. (This applies only to IPv4. For IPv6 packets, only the originator is allowed to fragment them.) The device SHOULD have a configuration setting to disable this. The resulting fragments are evaluated against the SPD in the normal manner. Thus, fragments not containing port numbers (or ICMP message type and code, or Mobility Header type) will only match rules having port (or ICMP message type and code, or MH type) selectors of OPAQUE or ANY. (See Section 7 for more details.)"*
For deciding whether to fragment a packet we need to know the packet's length and MTU (or PMTU but to k) ofthe interface. IPsec tunnel alters length of the packet and possibly outgoing interface as well. It means the policy affects the decision of whether a packet would get frameneted or not. However, RFC section 5.1 requires implementation to perform policy lookup on the fragmented packet. How can the implementation decide if the a packet should be fragmented before knowing what policy (and SA) will match? Moreover, the section 7.3 (reassembly for policy verification) becomes redundant if implementation has conformed to section 5.1 since the non-initial fragments are required to match only 3-tuple policy at sender. That means, at the receiver non-initial fragements must be matched only to policy rules without non-trivial ports. Can someone please help me understand what I'm missing here? Thanks and regards, Gandhar Gokhale Networking Components Group LSI
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
