[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnel mode SAs...

To: Dan Harkins <dharkins@cips.nokia.COM>
Subject: Re: tunnel mode SAs...
From: Steve.Robinson@psti.com
Date: Wed, 25 Apr 2001 14:38:15 -0400
Cc: Chris Trobridge <CTrobridge@baltimore.com>, "Jain, Gautam" <GJain@smartpipes.com>, "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>, Stephen Kent <kent@bbn.com>, owner-ipsec@lists.tislabs.com, Yuri Poeluev <ypoeluev@certicom.com>
Sender: owner-ipsec@lists.tislabs.com





>On Wed, 25 Apr 2001 12:26:05 EDT you wrote
>>
>> On inbound
>> 1.      - dencrypt each fragment
>>         - defragment a packet
>> or
>> 2.      - defragment a packet
>>         - dencrypt a packet
>>
>> The second case (2), I think, is used more often.
>> You should handle both cases if you want to cover all situations.
>
>I don't think 1 is possible. We authenticate encrypted packets and you
>must reconstruct the entire packet before you can authenticate it.
>
>  Dan.

Couldn't you just use NULL authentication?  Anyway, isn't this discussion
irrelevant?  Section 5.2 of RFC 2401 clearly states that: "Prior to
performing AH or ESP processing, any IP fragments are
   reassembled."  So only the second case is allowed.

Steve

Prev by Date: Re: tunnle mode SAs...
Next by Date: Re: tunnle mode SAs...
Prev by thread: RE: tunnle mode SAs...
Next by thread: Re: tunnel mode SAs...
Index(es):
- Main
- Thread