[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC AH -- document
On Wed, 28 May 1997, Stephen Kent wrote:
> The reason for the additional text is exactly what it says, i.e.,
> because of the need to deal with fragments transmitted by the host.
> Perhaps the wording was too strong, and should merely be a warning that
> these implementations must be aware of the requirement to apply AH (and
> ESP) only to complete datagrams. I note that fragments created by the
> host might exist via two different interfaces in a multi-homed host, so a
> BITW device or very low level BITS code might not be able to do reassembly,
> IPsec, and then refragmnent, in that instance. Such implementations would
> have a similar problems for incoming fragements that arrive on separate
> interfaces and would be reassembled in the native IP implementation. So,
Seems to me that all incoming fragments have the same IP destination address,
and thus must arrive on the same interface. Am I missing something?
> those worst case scenarios motivated my recommendation. Still, I'm happy
> to change the wording to merely refelct the requirement that special care
> must be taken in these implementations to ensure the ability to properly
> perform AH and ESP, on both outbound and inbound traffic. Would that be OK?
Norm
Norman Shulman Secure Computing Canada
Systems Developer Tel 1 416 813 2075
norm@tor.securecomputing.com Fax 1 416 813 2001
Follow-Ups:
References: