[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAs that carry fragments Was: Re: Some IKEv2 issues
- To: Charles Lynn <clynn@bbn.com>
- Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
- From: Nicolas Williams <Nicolas.Williams@sun.com>
- Date: Thu, 19 Feb 2004 15:06:08 -0600
- Cc: Bora Akyol <bora@cisco.com>, kent@bbn.com, kivinen@iki.fi, byfraser@cisco.com, ipsec@lists.tislabs.com
- In-reply-to: <20040219203858.137382051E@wolfe.bbn.com>
- Mail-followup-to: Charles Lynn <clynn@bbn.com>, Bora Akyol <bora@cisco.com>,kent@bbn.com, kivinen@iki.fi, byfraser@cisco.com,ipsec@lists.tislabs.com
- References: <00c301c3f723$fa3577f0$060a0a0a@amer.cisco.com> <20040219203858.137382051E@wolfe.bbn.com>
- Sender: owner-ipsec@lists.tislabs.com
- User-agent: Mutt/1.4i
On Thu, Feb 19, 2004 at 03:38:58PM -0500, Charles Lynn wrote:
> > Delay policy evaluation until fragmented packets are reassembled? This
> > might be fine for transport mode SAs [but not for tunnel mode SAs?].
>
> It requires memory in, e.g., a security gateway, code to do
> fragmentation and reassembly, and makes it harder to keep up with line
> rate.
Which is why I thought this would be fine for transport-mode scenarios
but maybe not for tunnel-mode. Of course, in the case of SGs there's
likely to be very few live SAs per client, so this may be a non-issue.
I'm not up on the whole thread, so I'll go back to lurking now. I just
wanted to make sure that multi-user peers w/ transport mode SAs remained
workable.
Nico
--