Date: Mon, 23 Dec 2019 13:02:32 +0100 From: "Patrick M. Hausen" <hausen@punkt.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <FFC8D7DF-CCB7-42CC-9442-670DC5E4809C@punkt.de> In-Reply-To: <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net> <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, > Am 23.12.2019 um 12:28 schrieb Andrey V. Elsukov <bu7cher@yandex.ru>: > "If required, IP fragmentation occurs after IPsec processing within an > IPsec implementation. Thus, transport mode AH or ESP is applied only > to whole IP datagrams (not to IP fragments)." >=20 > This is exactly how it works now. IPsec does encryption and passes ESP > packet to IP stack, then it can be fragmented if it is allowed (i.e. = no > DF bit set). >=20 > "An IP packet to which AH or ESP has been applied may itself be > fragmented by routers en route, and such fragments MUST be reassembled > prior to IPsec processing at a receiver." >=20 > If fragmentation was allowed at previous step, the receiver will have > several fragments that will be reassembled into single ESP packet, and > then it will be decrypted and passed to IP stack. I.e. IPsec will not > try to decrypt each fragment before reassembly. I'm with Andrey on this one. Shouldn't the encryption and encapsulation layer send back a "fragmentation needed but DF set" ICMP to the sender? It surely would if - the system was a router - the traffic was passing through the box instead of originating locally - the SA was in in tunnel mode or - there was an interface for the encrypted connection with lower MTU Looks like an oversight for transport mode and locally originating = traffic to me. Kind regards, Patrick --=20 punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Gesch=C3=A4ftsf=C3=BChrer: J=C3=BCrgen Egeling, Daniel Lienert, Fabian = Stein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FFC8D7DF-CCB7-42CC-9442-670DC5E4809C>