[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tunnle mode SAs...
Dan,
Actually each fragment has it's own authentication trailer.
So, you don't have to defragment packet to verify that
authentication is OK.
-Yuri
Dan Harkins wrote:
>
> On Wed, 25 Apr 2001 12:26:05 EDT you wrote
> >
> > On inbound
> > 1. - dencrypt each fragment
> > - defragment a packet
> > or
> > 2. - defragment a packet
> > - dencrypt a packet
> >
> > The second case (2), I think, is used more often.
> > You should handle both cases if you want to cover all situations.
>
> I don't think 1 is possible. We authenticate encrypted packets and you
> must reconstruct the entire packet before you can authenticate it.
>
> Dan.
Follow-Ups: