[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some issues about IPSec



Rob,

You should re-read my mail again. First, I was talking about IP-like layer below TCP/IP
satck, not another TCP/IP stack. Second, the MTU setting was discussed here many moons
ago - this is not the local matter only - you have to discover MTU end-to-end - and
this could very challenging. Third, fragmenting my own packets is easy, but
re-assembling someone else's datagrams is a different story. Forth, we are not
discussing here benefits of the tunnel mode, but rather questioning advantages of the
transport mode over tunnel mode (with admitting that there is an overhead of one IP
header worth).

Rob Adams wrote:

> This doesn't translate into another tcp under the stack at all.
> You simply have to be creative about setting MTU.. fake ICMP
> packets and the like...  Which I imagine you'd want to do anyway.
>
> You'll end up fragmenting your own packets once you've transformed
> them anyway.  Especially if you're going to do tunnel mode.
>
> Seems to me an efficient implementation would make sure that no
> fragmentation occurs.  Especially for the modem case.
>
> I still don't see the benefit.
>
> -----Original Message-----
> From:   Bronislav Kavsan [SMTP:bkavsan@ire-ma.com]
> Sent:   Friday, January 23, 1998 8:31 PM
> To:     ipsec@tis.com
> Subject:        Re: some issues about IPSec
>
> Rob Adams wrote:
>
> > .....And even if that was a common implementation, I'm not sure how
> > a bump in the stack implementation would benefit greatly by only doing
> > tunnel... Can you explain this?
>
> Rob, the transport mode requires encryption before fragmentation - in BITS
> implementation it translates into creating another IP protocol below TCP/IP
> protocol for re-assembling fragmented packets, encrypting resulting datagram and
> fragmenting it again.
>
> In the tunnel mode - you can encrypt each fragment separately without re-assembling
> them into a datagram.
>
> Also, the BITS implementation will be very common on Windows platform till
> Microsoft will implement IPsec in their stack
>
> Slava Kavsan
> IRE






References: