[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors



>>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:

 Dan> For gateways, yes. If you've negotiated port/protocol
 Dan> granulatity for an IPSec SA and a packet gets fragmented prior
 Dan> to being IPSec protected then the other end will have to queue
 Dan> up enough of the decapsulated fragments to get the port/protocol
 Dan> and decide whether to forward it on to the ultimate end-system.

It may not be able to do that, for example if the first fragment went
a different route.  Also, the problem applies equally well to end
systems if using tunnel mode, since the (inner) reassembly occurs
after the IPSEC processing.

	paul


Follow-Ups: References: