Hi,
I have a question about the testing procedure for End Node mode in IPsec
Self test suite revision 1.1.1 (IPsec spec 1.8.0).
In the first step in Item 5.1.4 Packet Too Big Transmission, TN will
send an ESP ICMP Echo Request, whose total length is 1500bytes including
the IPv6 header. The first judgement will expect NUT send back an ESP
ICMP Echo Reply whose packet size is also 1500 bytes. However, I have
looked up RFC4443 ICMPv6, and it is said in Section 2.4 Message Processing:
"(c) Every ICMPv6 error message (type < 128) MUST include as much of the
IPv6 offending (invoking) packet (the packet that caused the
error) as possible without making the error message packet exceed the
minimum IPv6 MTU [IPv6]."
The minimum IPv6 MTU is 1280 bytes. So the TN should accept two
fragmented packets as well. However, this kind of behavior is deemed as
FAIL.
Thanks.
Best regards,
Yi-Wen