[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on latest IPSP drafts

To: linehan@watson.ibm.com
Subject: Re: Comments on latest IPSP drafts
From: Hilarie Orman <ho@cs.arizona.edu>
Date: Mon, 10 Apr 1995 12:24:40 -0700
Cc: ipsec@ans.net
In-Reply-To: Yourmessage <199504072110.AA38178@interlock.ans.net>

>I suggest that there should be a discussion of the impact of IP
>fragmentation.  In particular: (a) performance is affected since IP packets
>that already equal the MTU size will overflow with the addition of the AH or
>ESP data; (b) I think there should be an implementation note that the sender of
>an IPSP packet should make sure to put it through the fragmentation process,
>and the destination of an IPSP packet must reassemble it before processing the
>AH header or ESP payload.

In our prototyping of an IP security layer, we approached this by
having the sender's query for the MTU be intercepted by the security
layer, which subtracts the header lengths from the actual network MTU.
The sender thus learns how much payload is available.  The
implementation of security as a layer makes the frag/reassembly
constraint natural and obvious.

References:

Comments on latest IPSP drafts

From: Mark H Linehan/Watson/IBM Research <linehan@watson.ibm.com>

Prev by Date: Re: Comments on latest IPSP drafts
Next by Date: Bellovin's attack
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread