[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #49 -- red-side fragmentation option

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: Re: IPsec issue #49 -- red-side fragmentation option
From: Mark Duffy <mduffy@quarrytech.com>
Date: Thu, 02 Oct 2003 01:03:28 -0400
In-Reply-To: <p05200f41bb9e5e713088@[128.89.89.115]>
Sender: owner-ipsec@lists.tislabs.com

When an IPsec device sending an outbound packet does red side fragmentation 
there are at least two possible ways to select SAs for the fragments.

One way is to use the SPD entry selected for the initial packet to process 
all the created fragments.  This has some appeal because the initial packet 
is more likely to contain the port numbers (i.e. if it was not itself 
already a fragment).

The other is to create all the fragments first, then search the SPD 
independently for each fragment.  They would then be processed as per Issue 
#81 "Handling outbound red fragments".

The second way seems correct to me because it puts the sender and receiver 
on an equal footing for selecting an SPD entry.  The receiver of the 
IPsec-protected fragments is not going to reassemble them, so it will not 
know which ones came from what initial packet.  Therefore I  think the 
sender should not take advantage of the additional information it has.

In any event, shouldn't the discussion of red side fragmentation in 2401bis 
make a statement on this issue?

--Mark

Prev by Date: Re: Final editing instructions for ikev2 document
Next by Date: Re: 2401bis Issue # 81 -- Handling outbound red fragments
Prev by thread: Re: Final editing instructions for ikev2 document
Next by thread: Re: 2401bis Issue # 81 -- Handling outbound red fragments
Index(es):
- Date
- Thread