Which two statements about the fragmentation of IPsec packets in routers are true? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D.BC.
IPsec provides secure communication over the internet by encrypting IP packets. Encryption of packets may cause the packet size to increase due to the addition of overhead information. Fragmentation of IPsec packets is a process of breaking down large packets into smaller ones so that they can pass through smaller Maximum Transmission Unit (MTU) network links.
Here are the explanations of the given options:
A. By default, the IP packets that need encryption are first encrypted with ESP. If the resulting encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet is fragmented and sent out. This statement is true. When a packet is sent over an IPsec tunnel, it is first encrypted with ESP (Encapsulating Security Payload) protocol. If the encrypted packet is larger than the IP MTU on the egress physical interface, then the packet is fragmented before being sent out.
B. By default, the router knows the IPsec overhead to add to the packet. The router performs a lookup if the packet will exceed the egress physical interface IP MTU after encryption, then fragments the packet and encrypts the resulting IP fragments separately. This statement is also true. When a packet is to be encrypted, the router calculates the IPsec overhead to be added to the packet. If the resulting packet size exceeds the egress physical interface IP MTU, the router fragments the packet and encrypts the resulting fragments separately.
C. Increases CPU utilization on the decrypting device. This statement is incorrect. Fragmentation of IPsec packets does not increase CPU utilization on the decrypting device.
D. Increases CPU utilization on the encrypting device. This statement is also incorrect. Fragmentation of IPsec packets increases CPU utilization on the router that performs the fragmentation and encryption. However, it does not increase CPU utilization on the encrypting device.
In conclusion, options A and B are true statements about the fragmentation of IPsec packets in routers.