[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal and packet reassemble
On Tue, 7 May 2002, michael lin wrote:
> Hi,
>
> To support IPSec fragment packets, the only thing, VPN gateway should do, is
> to reassemble AH and ESP packets. In NAT Traversal, all IPSec packets are
> encapsulated by UDP header (port 500 or 4500). For first fragment, VPN
> gateway can only keep the packet with UDP port 500 and non-IKE marker.
SRINI> Now it is non-ESP marker, according to the new draft.
But
> for the second fragment, there is no UDP header. There is no way to know
> this fragment is UDP encapsulated IPSec packet or other UDP packets. That
> means VPN gateway should try to reassemble all UDP packets. This will affect
> VPN gateway throughput.
>
> It seems no way to solve this problem, right?
SRINI> Reassembly is needed for this. Anycase, to support port based
SPD, reassembly is anyway required. Also, extra header should be taken
into consideration for PMTU ( if supported).
>
> Michael
>
--
Srinivasa Rao Addepalli
Intoto Inc. (Enabling Security Infrastructure)
3160, De La Cruz Blvd #100
Santa Clara, CA
USA