[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Why can't ?
Hi All,
With respect to the draft draft-ietf-ipsec-arch-sec-03.txt
Case 3. This case combines cases 1 and 2, adding end-to-end security
between the sending and receiving hosts. It imposes no new
requirements on the hosts or security gateways, other than a
requirement for a security gateway to be configurable to pass
IPsec traffic (including ISAKMP traffic) for hosts behind it.
=============================================================
| |
| ======================= |
| | | |
--|-----------------|--- --|-------------------|--
| | | | | | | |
| H1* -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2* |
| Intranet) | | Intranet) |
------------------------ -------------------------
admin. boundary admin. boundary
Here consider that the host H1 sends out fragments or the incoming packets
to the SG1 are fragmented then
* Whether such situation arises that the incoming packets to a security
gateway are fragmented ?.
* What the security gateway does in such situation ?. Does it reassembles
all the packets (eventhough they are not destined for it, because
reassembly occurs only at the destination) and apply tunnel mode i.e do
IPsec processing on the reassembled packet and sends it out with or with
out fragmentation as needed.
* Does it discards the packet since a fragment has came to the IPsec
processing ?.
* Why can't we apply IPsec processing on frgaments( I did not get anything
from the explaination given in the draft)?. If its only due to the src and
dest ports ( which we can't get from the frgaments and if it is ESP ) then
that is not sufficient reason to discard fragment fron the IPsec
processing, because most of the time the packet will be get fragmented or
it will be in ESP mode. If we can apply IPsec on fragments then we can
avoid the unneccessary reassembly at the SG1 just to apply IPsec.
Thank U in advance
Bridging the gap between hardware and software
with best wishes
- K. SrinivasRao(email : srinu@trinc.com )