[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using por numbers in selectors
>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
>>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:
Dan> For gateways, yes. If you've negotiated port/protocol granulatity
Dan> for an IPSec SA and a packet gets fragmented prior to being IPSec
Dan> protected then the other end will have to queue up enough of the
Dan> decapsulated fragments to get the port/protocol and decide whether
Dan> to forward it on to the ultimate end-system.
Paul> It may not be able to do that, for example if the first fragment
Paul> went a different route. Also, the problem applies equally well to
Paul> end systems if using tunnel mode, since the (inner) reassembly
Paul> occurs after the IPSEC processing.
This is only relevant for a gateway system. It has no relevance to end
systems.
IPsec is one way to build a VPN. IPsec is NOT just VPNs.
:!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
Michael Richardson | Cow#2: No. I'm a duck.
Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
References: