[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnle mode SAs...

To: Dan Harkins <dharkins@cips.nokia.COM>
Subject: Re: tunnle mode SAs...
From: Yuri Poeluev <ypoeluev@certicom.com>
Date: Wed, 25 Apr 2001 14:13:57 -0400
CC: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Organization: Certicom Corp.
References: <7550F251EA0C410285256A39005D5BE1.005D804385256A39@certicom.com>
Sender: owner-ipsec@lists.tislabs.com

Dan,

Actually each fragment has it's own authentication trailer.
So, you don't have to defragment packet to verify that
authentication is OK.

-Yuri

Dan Harkins wrote:
> 
> On Wed, 25 Apr 2001 12:26:05 EDT you wrote
> >
> > On inbound
> > 1.      - dencrypt each fragment
> >         - defragment a packet
> > or
> > 2.      - defragment a packet
> >       - dencrypt a packet
> >
> > The second case (2), I think, is used more often.
> > You should handle both cases if you want to cover all situations.
> 
> I don't think 1 is possible. We authenticate encrypted packets and you
> must reconstruct the entire packet before you can authenticate it.
> 
>   Dan.

Follow-Ups:

Re: tunnle mode SAs...

From: Dan Harkins <dharkins@cips.nokia.COM>

Prev by Date: Re: tunnle mode SAs...
Next by Date: Re: tunnel mode SAs...
Prev by thread: Re: tunnle mode SAs...
Next by thread: Re: tunnle mode SAs...
Index(es):
- Main
- Thread