[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Re:] Re: Placement of IPSec...

	i still cannot understand why BITW implementation need not 
do any fragmentation, re-assembly. in my opinion, both BITW 
and BITS implementations should suffer the same sort of overheads.
	the IPSec RFC 2401 clearly mentions that IPSec processing is 
to be done only on complete packets - this directly means that 
even BITW implementations need to do re-assembly/fragmentation 
(or, have i understood it wrongly?)
	please clarify my doubt...


On Thu, 21 Dec 2000 11:55:22 +0000
Amey Gokhale wrote:

>hello all,
>What Mr.Arvind says is true for BIS implementation of 
>IPSec.The major issue in BIS implementation is duplicaiton 
>of effort.It requires implementing most of the features of 
>the network layer, such as fragmentation and route 
>tables.Duplicating functionality leads to undesired 
>complications and it becomes more difficult to handle 
>issues such as fragmentation,PMTU and routing.
>BIW implementation is one of the two types of router 
>implementation along with the native implementation.
>In BIW ,IPSec is implemented in a device that is attached 
>to the physical interface of the router.This device 
>normally does not run any routing algorithm but is used 
>only to secure packets.So here no duplication of 
>effort is required for fragmentation and route tables.
>But BIW is not a long term solution as it is not viable to 
>have a device attached to every interface of the router.
>Another issue with router implementation is IPSec contexts.
>As the router has to store huge routing tables and normally 
>does not have huge disks for virtual memory support, 
>maintaining too many IPSec contexts is an issue.
>i may be wrong so plz. correct me if i am wrong.
>thanks in advance

Arvind Devarajan
< - >
E-mail: arvindd@india.com OR arvindd@hotvoice.com
Get my PGP public key from http://arvind.freipsec.org/

Global Internet phone calls, voicemail, fax, e-mail and instant messaging.
Sign-up today for FREE account at http://www.hotvoice.com