[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunnel mode SAs...

To: ipsec@lists.tislabs.com, Steve.Robinson@psti.com
Subject: Re: tunnel mode SAs...
From: Yuri Poeluev <ypoeluev@certicom.com>
Date: Wed, 25 Apr 2001 16:37:03 -0400
Organization: Certicom Corp.
References: <4CAA6040F17BF38E85256A39006806A0.0068245285256A39@certicom.com>
Sender: owner-ipsec@lists.tislabs.com

If we have logic that defore decryption you are trying to
defragment first if required (found fragments), and also trying
to defragment after decryption but before applying security policy.
This will cover both case 1 and case 2 at the same time on the
receive side.

Thanks,
-Yuri

Steve.Robinson@psti.com wrote:
> 
> >On Wed, 25 Apr 2001 12:26:05 EDT you wrote
> >>
> >> On inbound
> >> 1.      - dencrypt each fragment
> >>         - defragment a packet
> >> or
> >> 2.      - defragment a packet
> >>         - dencrypt a packet
> >>
> >> The second case (2), I think, is used more often.
> >> You should handle both cases if you want to cover all situations.
> >
> >I don't think 1 is possible. We authenticate encrypted packets and you
> >must reconstruct the entire packet before you can authenticate it.
> >
> >  Dan.
> 
> Couldn't you just use NULL authentication?  Anyway, isn't this discussion
> irrelevant?  Section 5.2 of RFC 2401 clearly states that: "Prior to
> performing AH or ESP processing, any IP fragments are
>    reassembled."  So only the second case is allowed.
> 
> Steve

Prev by Date: Re: tunnle mode SAs...
Next by Date: Re: tunnle mode SAs...
Prev by thread: Re: tunnel mode SAs...
Next by thread: RE: tunnel mode SAs...
Index(es):
- Main
- Thread