[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tunnel mode SAs...
>On Wed, 25 Apr 2001 12:26:05 EDT you wrote
>>
>> On inbound
>> 1. - dencrypt each fragment
>> - defragment a packet
>> or
>> 2. - defragment a packet
>> - dencrypt a packet
>>
>> The second case (2), I think, is used more often.
>> You should handle both cases if you want to cover all situations.
>
>I don't think 1 is possible. We authenticate encrypted packets and you
>must reconstruct the entire packet before you can authenticate it.
>
> Dan.
Couldn't you just use NULL authentication? Anyway, isn't this discussion
irrelevant? Section 5.2 of RFC 2401 clearly states that: "Prior to
performing AH or ESP processing, any IP fragments are
reassembled." So only the second case is allowed.
Steve