--- Comment #3 from Janne Peltonen <> ---
RFC 791 and RFC 6864 specify uniqueness criteria for the IP ID field. Those
criteria have to be met also with IPsec even if IPsec RFCs do not say so

Now an IP host/router implementation that is using ODP and ODP IPsec may end up
sending two AH or ESP packets (one transport mode packet, one tunnel mode
packet) with the same source and destination and with the same IP ID value very
close to each other. This is wrong and can prevent successful reassembly of
those packets if they get fragmented.

To put it in another way, an IP endpoint cannot generate the IP ID value
independently for different packets that have the same (source, destination,
protocol) -tuple, but that is what now happens with ODP.

You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to