7. Handling Fragments

IPsec performs its access control function by relating the contents of a packet to the selectors defined in the SPD. When a packet is fragmented, this relationship can be disrupted, potentially allowing unauthorized traffic to pass through the IPsec boundary.

Fragment Handling Challenges

Fragmentation creates challenges for IPsec processing because:

Transport Mode: The IP header is modified during IPsec processing, making it difficult to match fragments
Tunnel Mode: Fragmentation can occur before or after IPsec encapsulation
Selector Matching: Port information (and other next-layer protocol data) is only available in the first fragment

Stateful Fragment Checking

To address these challenges, IPsec implementations SHOULD support stateful fragment checking. This feature:

Tracks the first fragment of a packet to extract selector information
Validates subsequent fragments against the cached state
Ensures all fragments of a packet are processed consistently with SPD policy

Fragment Reassembly Considerations

Before IPsec Processing:

Reassembly before IPsec processing simplifies selector matching
Requires buffering capacity for fragment reassembly
May be vulnerable to fragment-based attacks

After IPsec Processing:

Fragments are processed individually through IPsec
Reassembly occurs on the protected side
Stateful checking is required to maintain security

Implementation Requirements

An IPsec implementation MUST support processing of individual fragments
Stateful fragment checking SHOULD be supported and SHOULD be configurable on a per-SA basis
If stateful checking is not performed, fragments lacking selector information MUST be discarded

Fragment Handling Challenges​

Stateful Fragment Checking​

Fragment Reassembly Considerations​

Implementation Requirements​

Fragment Handling Challenges

Stateful Fragment Checking

Fragment Reassembly Considerations

Implementation Requirements