[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...

To: Yuri Poeluev <ypoeluev@certicom.com>
Subject: Re: tunnle mode SAs...
From: Dan Harkins <dharkins@cips.nokia.COM>
Date: Wed, 25 Apr 2001 09:52:11 -0700
cc: Chris Trobridge <CTrobridge@baltimore.com>, Stephen Kent <kent@bbn.com>, "Jain, Gautam" <GJain@smartpipes.com>, "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "Wed, 25 Apr 2001 12:26:05 EDT." <3AE6FA9D.A868D19F@certicom.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 25 Apr 2001 12:26:05 EDT you wrote
> 
> On inbound
> 1.      - dencrypt each fragment
>         - defragment a packet
> or
> 2.      - defragment a packet
> 	- dencrypt a packet
> 
> The second case (2), I think, is used more often.
> You should handle both cases if you want to cover all situations.

I don't think 1 is possible. We authenticate encrypted packets and you
must reconstruct the entire packet before you can authenticate it.

  Dan.

References:

Re: tunnle mode SAs...

From: Yuri Poeluev <ypoeluev@certicom.com>

Prev by Date: Re: tunnle mode SAs...
Next by Date: Re: tunnle mode SAs...
Prev by thread: Re: tunnle mode SAs...
Next by thread: Re: tunnle mode SAs...
Index(es):
- Main
- Thread