[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: tunnel mode SAs...
Not all the fragments are guaranteed to go through one SGW.
Chris
> -----Original Message-----
> From: Jian-Rong Chen [mailto:jrc@adv.sonybpe.com]
> Sent: 26 April 2001 10:57
> To: Dan Harkins; Claudio Lordello
> Cc: Yuri Poeluev; ipsec@lists.tislabs.com
> Subject: RE: tunnel mode SAs...
>
>
>
> On Wed, 25 Apr 2001 21:57:44 EDT Dan wrote
> >
> > A security gateway receiving an already fragmented packet
> is different
> > from a security gateway receiving a non-fragmented packet,
> fragmenting
> > it and then applying IPsec to each fragment. The rules for
> the former
> > are very well stated and not being debated.
> >
> > Since I don't believe compliant devices are supposed to do
> the latter
> > then I don't believe a security gateway will ever receive encrypted
> > fragments that it has to independently IPsec process and
> then combine to
> > reconstruct a packet which is forwarded on to the ultimate
> destination.
> > That was case #2 from Yuri's post.
> >
> > If the selector had port and/or protocol information the
> gateway would
> > not be receiving IPsec-protected fragments of the original
> packet, it
> > would be receiving fragments of the IPsec protected original packet.
> > If the selector did not have port and/or protocol information the
> > gateway would just process the fragments as normal IP packets and no
> > reassembly on either end would be necessary.
> >
> > Dan.
> >
> If the selector had port and/or protocol information, could
> the gateway
> receive plain fragments (not IPsec protected) of the original
> packet? If
> it could, then reassembly would be needed before forward
> IPsec processing.
> If we think of un-protected packets as packets protected by a
> NULL SA, then
> this is equivalent to cascading a NULL SA with a tunnel SA in
> a gateway.
> I don't know if cascading (not bundling) of two SA tunnels in
> a security
> gateway is allowed or not in IPsec architecture. If it is,
> then packets
> could go through a sequence of "inbound IPsec processing(SA1)
> -> reassembly
> -> outbound IPsec processing(SA2)"
>
> JR Chen
>
>
>
> **************************************************************
> ***********
> The information contained in this message or any of its
> attachments may be privileged and confidential and intended
> for the exclusive use of the addressee. If you are not the
> addressee any disclosure, reproduction, distribution or other
> dissemination or use of this communication is strictly prohibited
> **************************************************************
> ************
>
>
> This footnote confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.
This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.