[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors





Paul Koning wrote:

> >>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:
>
>  Dan> For gateways, yes. If you've negotiated port/protocol
>  Dan> granulatity for an IPSec SA and a packet gets fragmented prior
>  Dan> to being IPSec protected then the other end will have to queue
>  Dan> up enough of the decapsulated fragments to get the port/protocol
>  Dan> and decide whether to forward it on to the ultimate end-system.
>
> It may not be able to do that, for example if the first fragment went
> a different route.

If you are talking about secured fragments, they all will go to the
samesecurity gateway as IP destination address of tunnel header is same
for all fragments. Even though they take different route in internet, they

go to same remote SG.

But from local host to the local SG, all fragments have to go to same
gateway for PORT selectors to work.

> Also, the problem applies equally well to end
> systems if using tunnel mode, since the (inner) reassembly occurs
> after the IPSEC processing.
>
>         paul

Regards
Srini





References: