Monday, February 25, 2008

Fragmentation before encapusulation (Red side fragmentation) - IPsec

I don't know why it is called 'red side fragmentation'.

What is red side fragmentation?

Fragmentation of IP packets is done before ESP/AH/IPCOMP encapsulation in IPsec such that there is no fragmentation required to transmit the encapsulated packets.

Why is this required?

I believe some of service providers tend to give less priority to packets that are fragmented. When they detect congestion, fragmented packets are given lesser priority and they may get dropped.

IPsec carries many important protocol traffic across sites. Any IPsec packet drops cause degradation of application performance. IPsec gateways need to ensure that this traffic is not dropped. As you are aware, IPsec adds additional encapsulation headers such as ESP/AH/IPCOMP and another IP header in case of tunnel mode. It increases the packet size by few more bytes. If big size packet is received from local hosts and any additions to this packet requires fragmentation. If the fragmentation is done after encapsulation, the resulting packets have fragmentation variables set (MF bit and Offset bit) in IP headers. To avoid this, fragmentation is done on clear packets and IPsec encapsulation, outer IP header insertion is done on each of clear fragments. In this case, the outer IP header does not have fragmentation variables set. By this, service providers don't give lesser priority to these packets upon congestion.

Many security devices supporting IPsec have this feature. As an evaluator of security devices, you should look for this feature.

1 comment:

Gandhar said...

The real reason for red side fragmentation is reducing the load on the peer gateway. The reassembly would happen at the end host and not on the gateway when sender fragments before encapsulating.
The reasoning you suggest here amounts to deceiving the network in believing fragments to be non fragments.