[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mixed mode datagrams

To: "Hilarie K. Orman" <ho@earth.hpc.org>
Subject: Re: mixed mode datagrams
From: Stephen Kent <kent@bbn.com>
Date: Thu, 31 Dec 1998 14:40:54 -0500
Cc: ipsec@tis.com
In-Reply-To: <199812310346.TAA28678@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

Hilarie,

>Is it the intention of the specifications to allow an IP datagram to
>be reassembled from a combination of ESP-protected fragments tunnelled
>through different security associations (including the possibility
>of no ESP protection)?

ESP operates on fragments if the fragments arrive at a security gateway and
are then encapsulated in ESP. Thus it is possible for fragments to arrive
at multiple SGs outbound and be passed on multiple SAs, and even arrive at
multiple receiving SGs.  However, there is no requirement that these
fragments be reassembled prior to deliver to the ultimate recipient.  The
problem, as Mike points out, is that if one has SPD entries at the
destination SG(s) that want to look at port fields, this scenario will
fail.  However, contrary to what Mike suggests, implicit ordering of the
SPD would not address this problem, as my example above illustrates, in
more complex topologies.  (Mike's example also seems to make use of a range
for port values [>1024], a feature that was once present in the SPD, but
was dropped because IKE cannot negitiate it.)

Steve

References:

mixed mode datagrams

From: "Hilarie K. Orman" <ho@earth.hpc.org>

Prev by Date: Re: Basic IKE authentication question
Next by Date: Re: Basic IKE authentication question
Next by thread: RE: Monitoring MIB: draft-ietf-ipsec-mib-03.txt
Index(es):
- Main
- Thread