[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: tunnel mode SAs...

To: "Dan Harkins" <dharkins@cips.nokia.COM>, "Claudio Lordello" <clordello@home.com>
Subject: RE: tunnel mode SAs...
From: "Jian-Rong Chen" <jrc@adv.sonybpe.com>
Date: Thu, 26 Apr 2001 10:57:24 +0100
Cc: "Yuri Poeluev" <ypoeluev@certicom.com>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200104260436.f3Q4aNx44334@potassium.cips.nokia.com>
Sender: owner-ipsec@lists.tislabs.com


On Wed, 25 Apr 2001 21:57:44 EDT Dan wrote
>
> A security gateway receiving an already fragmented packet is different
> from a security gateway receiving a non-fragmented packet, fragmenting
> it and then applying IPsec to each fragment. The rules for the former
> are very well stated and not being debated.
>
> Since I don't believe compliant devices are supposed to do the latter
> then I don't believe a security gateway will ever receive encrypted
> fragments that it has to independently IPsec process and then combine to
> reconstruct a packet which is forwarded on to the ultimate destination.
> That was case #2 from Yuri's post.
>
> If the selector had port and/or protocol information the gateway would
> not be receiving IPsec-protected fragments of the original packet, it
> would be receiving fragments of the IPsec protected original packet.
> If the selector did not have port and/or protocol information the
> gateway would just process the fragments as normal IP packets and no
> reassembly on either end would be necessary.
>
>   Dan.
>
  If the selector had port and/or protocol information, could the gateway
receive plain fragments (not IPsec protected) of the original packet? If
it could, then reassembly would be needed before forward IPsec processing.
If we think of un-protected packets as packets protected by a NULL SA, then
this is equivalent to cascading a NULL SA with a tunnel SA in a gateway.
I don't know if cascading (not bundling) of two SA tunnels in a security
gateway is allowed or not in IPsec architecture. If it is, then packets
could go through a sequence of "inbound IPsec processing(SA1) -> reassembly
-> outbound IPsec processing(SA2)"

  JR Chen



*************************************************************************
The information contained in this message or any of its
attachments may be privileged and confidential and intended 
for the exclusive use of the addressee. If you are not the
addressee any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited
**************************************************************************

References:

Re: tunnle mode SAs...

From: Dan Harkins <dharkins@cips.nokia.COM>

Prev by Date: Re: tunnle mode SAs...
Next by Date: RE: tunnel mode SAs...
Prev by thread: Re: tunnle mode SAs...
Next by thread: Re: tunnle mode SAs...
Index(es):
- Main
- Thread