[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: some issues about IPSec



This doesn't translate into another tcp under the stack at all.
You simply have to be creative about setting MTU.. fake ICMP
packets and the like...  Which I imagine you'd want to do anyway.

You'll end up fragmenting your own packets once you've transformed
them anyway.  Especially if you're going to do tunnel mode.   

Seems to me an efficient implementation would make sure that no 
fragmentation occurs.  Especially for the modem case. 

I still don't see the benefit. 

-----Original Message-----
From:	Bronislav Kavsan [SMTP:bkavsan@ire-ma.com]
Sent:	Friday, January 23, 1998 8:31 PM
To:	ipsec@tis.com
Subject:	Re: some issues about IPSec

Rob Adams wrote:

> .....And even if that was a common implementation, I'm not sure how
> a bump in the stack implementation would benefit greatly by only doing
> tunnel... Can you explain this?

Rob, the transport mode requires encryption before fragmentation - in BITS
implementation it translates into creating another IP protocol below TCP/IP
protocol for re-assembling fragmented packets, encrypting resulting datagram and
fragmenting it again.

In the tunnel mode - you can encrypt each fragment separately without re-assembling
them into a datagram.

Also, the BITS implementation will be very common on Windows platform till
Microsoft will implement IPsec in their stack

Slava Kavsan
IRE





Follow-Ups: