Re: Traffic selectors, fragments, ICMP messages and security policy problems

[Stephen Kent <kent@bbn.com>]

Paul,

	<SNIP>

>So where are we with Tero's previous analysis, which shows that port
>selection in the presence of fragmentation can only be done correctly
>if you keep cross-fragment state in the SG, i.e., it is expensive at
>high speed?

I think I disagreed with that argument in a previous message. I have 
started to write an analysis of these issues, to try to put things in 
better perspective, since our discussion of this topic has gotten 
very detailed and hard to follow at times.
>
>It sounds to me like we have a case of (a) fast and efficient, (b)
>support fragments, (c) support port selectors -- pick any TWO.

Maybe, but I don't think this is an intrinsic tradeoff.

Steve