[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on latest IPSP drafts

To: Hilarie Orman <ho@cs.arizona.edu>, linehan@watson.ibm.com
Subject: Re: Comments on latest IPSP drafts
From: rgm3@is.chrysler.com (Robert Moskowitz)
Date: Tue, 11 Apr 1995 06:32:03 -0400
Cc: ipsec@ans.net

At 12:24 PM 4/10/95 -0700, Hilarie Orman wrote:
>>I suggest that there should be a discussion of the impact of IP
>>fragmentation.  In particular: (a) performance is affected since IP packets
>>that already equal the MTU size will overflow with the addition of the AH or
>>ESP data; (b) I think there should be an implementation note that the
sender of
>>an IPSP packet should make sure to put it through the fragmentation process,
>>and the destination of an IPSP packet must reassemble it before processing the
>>AH header or ESP payload.
>
>In our prototyping of an IP security layer, we approached this by
>having the sender's query for the MTU be intercepted by the security
>layer, which subtracts the header lengths from the actual network MTU.
>The sender thus learns how much payload is available.  The
>implementation of security as a layer makes the frag/reassembly
>constraint natural and obvious.

But this does not help a user of a PPP dialup link that was getting 24Kb
throughput from a V.32bis modem and now is getting 14Kb.  That is a REAL
degredation of throughput, much worst than what we have been talking about
for Ethernet based users.  And remember, there is also ISDN compression...

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Prev by Date: IPSEC Comments
Next by Date: Re: Bellovin's attack and others like it
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread