Hello, The UNH-IOL would like to ask the Working Group for feedback regarding an issue we've observed.
This issue concerns how a Security Gateway handles IPv6 MTU restrictions and fragmentations. Specifically, how should a SGW handle a received Packet Too Big message, for an ESP packet which it transmitted? >From RFC 4301, Section 6.1.1, there are two options: "If an ICMP PMTU message passes the checks above and the system is configured to accept it, then there are two possibilities. If the implementation applies fragmentation on the ciphertext side of the boundary, then the accepted PMTU information is passed to the forwarding module (outside of the IPsec implementation), which uses it to manage outbound packet fragmentation. If the implementation is configured to effect plaintext side fragmentation, then the PMTU information is passed to the plaintext side and processed as described in Section 8.2." The first option, applying fragmentation on the ciphertext side of the boundary seems to be optional, although it's not clear to us if it only applies to IPv4, according to RFC 4303, Section 3.3.4: "Thus, an ESP implementation MAY choose to not support fragmentation and may mark transmitted packets with the DF bit, to facilitate Path MTU (PMTU) discovery." The second option is describe in RFC 4301, Section 8.2.1, which is to propagate the PMTU information via a synthesized Packet Too Big message. So, there are two questions we would like to raise. First, if ciphertext side fragmentation is indeed optional, and an IPv6 SGW implementation should choose to not support it, MUST it support generating the synthesized PTB message? Second, the SGW can set the MTU to 1280 bytes, or less, in the synthesized Packet Too Big message, however, the originator is not required to reduce the size of fragments to less than 1280 bytes, but by adding the ESP header the resulting packets will be larger than 1280 bytes. So, if the upstream MTU is 1280 bytes, and an SGW implementation chooses to not to support ciphertext side fragmentation, what is the correct behavior? Regards, Timothy Carlin ---- Timothy Carlin UNH-IOL _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
