[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new second mandatory IPsec cipher



On Wed, 14 Jul 1999 15:45:40 -0000 you wrote
> 
> 	16-byte blocks... ouch. Here's a little point to keep in mind: IP
> fragments come in 8byte blocks. As long as your crypto cypher chuncks
> though memory in 8 byte blocks, then your different fragments do not
> have to be lined up contigously in memory. But pick a 16byte block
> crypto tool and then you will have to get into memory copying fragments
> around.
> 	And I know that this is still a debate, but a good fraction of the
> community here believe that if you are and SGW using IPSec selectors
> which filter on ports, then you must do an 'intermediate reassemble' of
> the packet even if you are not the end destianation. That could add up
> to alot of traffic which a 16byte cypher would force you to mem-copy all
> about.

I think you're misunderstanding the debate. The situation where reassembly
in a SGW is necessary is IPSec encrypted fragments and they're all gonna
be padded to the blocksize of the cipher anyway. What you have to do
is reassemble enough of the cleartext fragment(s) to see whether this is
an acceptable packet or not. In the case of an IPSec encrypted packet that
gets fragmented you have to reconstruct the whole thing prior to decryption
anyway and it too will be padded to the blocksize of the cipher.

The blocksize of the cipher should not be a concern here.

  Dan.



Follow-Ups: References: