[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new second mandatory IPsec cipher
Dan Harkins wrote:
>
> On Wed, 14 Jul 1999 15:45:40 -0000 you wrote
> >
> > 16-byte blocks... ouch. Here's a little point to keep in mind: IP
> > fragments come in 8byte blocks. As long as your crypto cypher chuncks
> > though memory in 8 byte blocks, then your different fragments do not
> > have to be lined up contigously in memory. But pick a 16byte block
> > crypto tool and then you will have to get into memory copying fragments
> > around.
> > And I know that this is still a debate, but a good fraction of the
> > community here believe that if you are and SGW using IPSec selectors
> > which filter on ports, then you must do an 'intermediate reassemble' of
> > the packet even if you are not the end destianation. That could add up
> > to alot of traffic which a 16byte cypher would force you to mem-copy all
> > about.
>
> I think you're misunderstanding the debate. The situation where reassembly
> in a SGW is necessary is IPSec encrypted fragments and they're all gonna
> be padded to the blocksize of the cipher anyway. What you have to do
> is reassemble enough of the cleartext fragment(s) to see whether this is
> an acceptable packet or not. In the case of an IPSec encrypted packet that
> gets fragmented you have to reconstruct the whole thing prior to decryption
> anyway and it too will be padded to the blocksize of the cipher.
>
> The blocksize of the cipher should not be a concern here.
>
> Dan.
--
Oops. You got me. As Dan says,
"The situation where reassembly in a SGW is necessary
is IPSec encrypted fragments and they're all gonna
be padded to the blocksize of the cipher anyway."
I withdraw my previous comment about wanting an 8 block cypher in order
to be more 'fragment friendly'.
####################################
# Ricky Charlet
# (510) 795-6903
# rcharlet@redcreek.com
####################################
References: