[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors




>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:

>>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:

    Dan> For gateways, yes. If you've negotiated port/protocol granulatity
    Dan> for an IPSec SA and a packet gets fragmented prior to being IPSec
    Dan> protected then the other end will have to queue up enough of the
    Dan> decapsulated fragments to get the port/protocol and decide whether
    Dan> to forward it on to the ultimate end-system.

    Paul> It may not be able to do that, for example if the first fragment
    Paul> went a different route.  Also, the problem applies equally well to
    Paul> end systems if using tunnel mode, since the (inner) reassembly
    Paul> occurs after the IPSEC processing.

  This is only relevant for a gateway system. It has no relevance to end
systems.
  IPsec is one way to build a VPN. IPsec is NOT just VPNs.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.




References: