[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using por numbers in selectors
>>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:
Dan> For gateways, yes. If you've negotiated port/protocol
Dan> granulatity for an IPSec SA and a packet gets fragmented prior
Dan> to being IPSec protected then the other end will have to queue
Dan> up enough of the decapsulated fragments to get the port/protocol
Dan> and decide whether to forward it on to the ultimate end-system.
It may not be able to do that, for example if the first fragment went
a different route. Also, the problem applies equally well to end
systems if using tunnel mode, since the (inner) reassembly occurs
after the IPSEC processing.
paul
Follow-Ups:
References: