[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...

To: "Jain, Gautam" <GJain@smartpipes.com>
Subject: Re: tunnle mode SAs...
From: Stephen Kent <kent@bbn.com>
Date: Wed, 25 Apr 2001 09:29:26 -0400
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: <4652644B98DFF34696801F8F3070D3FE04B486@D2CSPEXM001.smartpipes.com>
References: <4652644B98DFF34696801F8F3070D3FE04B486@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com

At 5:11 PM +0000 4/24/01, Jain, Gautam wrote:
>With reference to section 4.1 in RFC 2401 I have a question on the
>following statement.
>
>The requirement for any (transit traffic) SA involving a
>security gateway to be a tunnel SA arises due to the need to avoid
>potential problems with regard to fragmentation and reassembly of
>IPsec packets, and in circumstances where multiple paths (e.g., via
>different security gateways) exist to the same destination behind the
>security gateways.
>
>How does a tunnel mode SA avoid the fragmentation problem and why
>is a transport mode SA a problem if there exist multiple paths to the
>same destination behind the security gateways ?

In tunnel mode packets are addressed to a single target SG, thus 
ensuring that all fragments arrive at one point, where they can be 
reassembled. In transport mode, the address of the ultimate target, 
not the SG, would allow traffic, including fragments, on one SA to be 
routed to different SGs, and this would preclude reassembly at an 
intermediate SG.

Steve

References:

tunnle mode SAs...

From: "Jain, Gautam" <GJain@smartpipes.com>

Prev by Date: Re: allowing transport mode...
Next by Date: RE: allowing transport mode...
Prev by thread: tunnle mode SAs...
Next by thread: RE: tunnle mode SAs...
Index(es):
- Main
- Thread