lib.ipsec.esp: correct bogus note about IP fragment handling

snabbco · Apr 12, 2018 · 53ae8bd · 53ae8bd
1 parent bb72e66
commit 53ae8bd
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/src/lib/ipsec/README.md b/src/lib/ipsec/README.md
@@ -6,6 +6,8 @@ transport modes. Currently, the only supported cipher is AES-GCM cipher with
 128‑bit keys, 4 bytes of salt, and a 12 byte authentication code. These classes
 do not implement any key exchange protocol.
 
+Note: the classes in this module do not reject IP fragments of any sort.
+
 References:
 
 - [IPsec Wikipedia page](https://en.wikipedia.org/wiki/IPsec).

diff --git a/src/lib/ipsec/esp.lua b/src/lib/ipsec/esp.lua
@@ -13,14 +13,10 @@ module(...,package.seeall)
 --    it is assumed to be an unrealistic scenario as it would take 584 years to
 --    overflow the counter when transmitting 10^9 packets per second.
 --
---  * decapsulate_transport6: Rejection of IP fragments is *not* implemented
---    because `lib.protocol.ipv6' does not support fragmentation. E.g.
---    fragments will be rejected because they can not be parsed as IPv6
---    packets. If however `lib.protocol.ipv6' were to be updated to be able to
---    parse IP fragments this implementation would have to be updated as well
---    to remain correct. See the “Reassembly” section of RFC 4303 for details:
+--  * IP fragments are *not* rejected by the routines in this library, and are
+--    expected to be handled prior to encapsulation/decapsulation.
+--    See the “Reassembly” section of RFC 4303 for details:
 --    https://tools.ietf.org/html/rfc4303#section-3.4.1
---
 
 local header = require("lib.protocol.header")
 local datagram = require("lib.protocol.datagram")