[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAs that carry fragments Was: Re: Some IKEv2 issues
- To: Bora Akyol <bora@cisco.com>
- Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
- From: Nicolas Williams <Nicolas.Williams@sun.com>
- Date: Thu, 19 Feb 2004 13:04:40 -0600
- Cc: "'Stephen Kent'" <kent@bbn.com>, "'Tero Kivinen'" <kivinen@iki.fi>, Barbara Fraser <byfraser@cisco.com>, "'Charles Lynn'" <clynn@bbn.com>, ipsec@lists.tislabs.com
- In-reply-to: <00b901c3f718$02aaa740$060a0a0a@amer.cisco.com>
- Mail-followup-to: Bora Akyol <bora@cisco.com>,'Stephen Kent' <kent@bbn.com>, 'Tero Kivinen' <kivinen@iki.fi>,Barbara Fraser <byfraser@cisco.com>, 'Charles Lynn' <clynn@bbn.com>,ipsec@lists.tislabs.com
- References: <p06020402bc59945d05cd@[128.89.89.75]> <00b901c3f718$02aaa740$060a0a0a@amer.cisco.com>
- Sender: owner-ipsec@lists.tislabs.com
- User-agent: Mutt/1.4i
On Thu, Feb 19, 2004 at 10:41:38AM -0800, Bora Akyol wrote:
> Steve
>
> How often do we see multiple IPSEC Sas between the same two peers
> protecting different ports (or in general different selector sets)?
Consider cases where one peer is a multi-user system and different
connections are protected by [likely transport-mode] SAs with different
IDs for different users. I would not want such scenarios to be
precluded.
> There are better and straightforward ways of getting around the
> issue of fragmented packets in the implementation
> without requiring a separate SA for fragments.
Delay policy evaluation until fragmented packets are reassembled? This
might be fine for transport mode SAs [but not for tunnel mode SAs?].
Queue fragmented packets for reassembly remembering what SA protected
each fragment, then when the packet is reassembled, and if all fragments
were protected by the same or congruent SAs check SPD, otherwise drop.
Nico
--