cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3984
Views
0
Helpful
7
Replies
Highlighted
Beginner

IPsec Pre-fragmentation for packets with IPv6

Hi ;

Could the feature of IPsec pre-fragmentation be applied for packets with IPv6? Why and how?

Are there any authorized papers or researches prove that? If any; could you provide me with useful ones, please?

Thanks

Rose

7 REPLIES 7
Highlighted
Cisco Employee

Rose,

What is the behavior you're seeing?

I can dig into the topic but to the extent I know lower IPsec SA MTU should be detected and sitation reported via appropriate ICMP.

Do you see fragmentation of pre-encapsulation packets happening?

Marcin

Highlighted

Hi Marcin;

Do you see fragmentation of pre-encapsulation packets happening?

Yes; double fragmentation could be occured if the size of the pre-fragmented packet is larger than the MTU of the transmiision link; but this is not my question.

Could i have answers to my questions ; Please?

Rose

Highlighted
Cisco Employee

Per RFC2460, routers will not perform fragmentation for transit ipv6 traffic. Fragmentation is performed only by the source node once the fragmentation boundary condition is learned via ICMPv6 Packet Too Big Messages. So an IOS router acting as an IPSec end point will not perform fragmentation for traffic going into the tunnel, therefore the IPSec pre-fragmentation feature simply does not apply for IPv6.

Hope this helps.

Thanks,

Wen

Highlighted

Hi Wen;

I'm happy for replying me. RFC2460 is a good resource for IPv6 specifications but it’s not discussing the case of IPSec tunnels. While the fragmentation would be performed by the source node if needed and encryption would be done by the encryption router after fragmentation, then this is an IPSec pre-fragmentation as I could understand. So I need a proof that in IPsec tunnels, there’s no a pre-fragmentation for IPv6 packets.

Do you know if the cisco team had experimented that or reached any results in this point?

Thanks Wen.

  Rose

Highlighted

Hi, Rose:

If by pre-fragmentation, you mean the IPSec pre-fragmentation feature in IOS, then it's only applicable on IOS routers that will perform BOTH fragmentation and encryption. Again, I can only speak for this Cisco feature and not "pre-fragmentation" used in other contexts. I don't know if there is any official proof, but I was one of the original requesters and reviewers of this feature when it first came out back in 2003. You can also confirm this by testing it on routers running IOS 12.4(4)T and later when IPSec IPv6 support came out.

Thanks,

Wen

Highlighted

Hi everybody;

How are you Wen.?

So for IPv6 fragmentation is allowed only by packet sender; but what the followings:

1- Is this the reason of why IPsec pre-fragmentation feature can't be supported for IPv6, and the fragmentation by the IPv6 packet sender before IPsec encryption doesn't considered as pre-fragmentation because the fragmentation doesn't done by the IPsec encapsulator before encapsulation?

2- Who could reassemble the IPv6 fragmented packets (the receiving router, the receiving peer or any of them)?

3- Could a tunnel have the packet sender peer on the sending end instead of the source router in a case or having the receiving peer on the receiving end instead of the receiving router in other case ?

4- Doesn't IPsec post fragmentation allowed for IPv6 packets in the tunnel mode due to the reason that IPv6 fragmentation is allowed only by packet sender?

5- Why doesn't the IPsec transport mode carry the IPv6 fragments?

Thanks

Rose

Highlighted

Hi;

Could anyone answer my last five quetions; please?

Rose.