Hosting Provided By

linux-ipsec: IPSEC vs. fragments

From: Henry Spencer <henry(at)spsystems.net>
Date: Sat Oct 31 1998 - 13:43:41 EST

> > but when i enable "IP: Always defragment" kernel option,
> > almost everything works fine.
>
> Right. IPSEC is not able to deal with fragments. It is not allowed to
> deal with fragments per: the specifications.

I've always skimmed rather lightly over the fragmentation stuff in the specs -- it's a messy issue -- but spurred by this, I went back and had a look. Unless I've missed something, only transport mode is allowed to insist that it see only whole packets. Tunnel mode is supposed to handle them, barring some situations -- e.g., SPD specifications which require knowing the port number -- where it doesn't have enough information.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

Received on Sat Oct 31 14:23:01 1998

This message: [ Message body ]
Next message: Christian Kagerhuber: "linux-ipsec: Simple config fails ?"
Previous message: Henry Spencer: "Re: linux-ipsec: IPSEC vs. fragments"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:29 EDT