Path: utzoo!utgpu!water!watmath!clyde!rutgers!uwvax!oddjob!hao!ames!pasteur!ucbvax!GSWD-VMS.GOULD.COM!tucker%vger
From: tucker%vger@GSWD-VMS.GOULD.COM (Tim Tucker)
Newsgroups: comp.protocols.tcp-ip
Subject: IP security options (again)
Message-ID: <8802211733.AA02444@vger>
Date: 21 Feb 88 17:33:16 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 11

We have found that any system using 4.3 BSD TCP/IP code can't handle the IP
security option.  The reason follows.  If you fragment a packet with the
IP security option, the option should only appear in the first fragment.  On
BSD 4.3 systems this is done correctly, but the IP header in the second or
more fragments is too long!  The option is removed correctly, but the IP header
size is not adjusted.  This bug causes fragmented packets with the IP security
option to be dropped in reassembly.  A big bug, since most people using
the option are connected to a link like the ARPAnet thru ethernet.

Tim Tucker
tucker@claudius.Gould.COM