Hi all, > Am 23.12.2019 um 12:28 schrieb Andrey V. Elsukov <bu7c...@yandex.ru>: > "If required, IP fragmentation occurs after IPsec processing within an > IPsec implementation. Thus, transport mode AH or ESP is applied only > to whole IP datagrams (not to IP fragments)." > > This is exactly how it works now. IPsec does encryption and passes ESP > packet to IP stack, then it can be fragmented if it is allowed (i.e. no > DF bit set). > > "An IP packet to which AH or ESP has been applied may itself be > fragmented by routers en route, and such fragments MUST be reassembled > prior to IPsec processing at a receiver." > > If fragmentation was allowed at previous step, the receiver will have > several fragments that will be reassembled into single ESP packet, and > then it will be decrypted and passed to IP stack. I.e. IPsec will not > try to decrypt each fragment before reassembly.
I'm with Andrey on this one. Shouldn't the encryption and encapsulation layer send back a "fragmentation needed but DF set" ICMP to the sender? It surely would if - the system was a router - the traffic was passing through the box instead of originating locally - the SA was in in tunnel mode or - there was an interface for the encrypted connection with lower MTU Looks like an oversight for transport mode and locally originating traffic to me. Kind regards, Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de i...@punkt.de AG Mannheim 108285 Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"