3.15.1 Abstract Data Model

When this extension is implemented, the following additional state is maintained. This is an extension to IKE Protocol version 2, as specified in [RFC7296].

Main mode security association database (MMSAD): The entry for each MM SA contains the following IKE fragmentation–specific data elements.

  • Fragmentation supported: A flag that MUST be set if sending fragmented messages is supported.

  • Peer Supports Fragmentation: A flag that is set after the peer indicates fragmentation support through notifications sent via IKE_SA_INIT request and response messages, as described in section 2.2.11.1.

  • Fragmentation Determination: Fragmentation is determined by the size of the packet being sent along with the previously specified flags. After determining that fragmentation is supported by both sides, the chosen MTU SHOULD be the minimum MTU for the IP protocol, which is 576 bytes for IPv4 and 1280 bytes for IPv6.

  • Fragment queue: A queue holding the fragments that correspond to incomplete IKE messages, indexed by the Fragment ID. Each entry in the queue MUST contain the following:

    • Fragment ID, which is the Message ID, is set to the Fragment_ID field in section 2.2.3.1.

    • Fragment Number, which is set to the Fragment_Number field in section 2.2.3.1.

    • Total Fragments

    • Fragment Data, which is set to the Fragment_Data field in section 2.2.3.1.

    • Flow state table: The following information MUST be maintained.

    • Number of fragments received must be accounted for and MUST never exceed the total fragments of MAX limit.

    • Total fragment size of the re-assembled packet MUST NOT exceed the MAX limit.