[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
On Thu, Feb 26, 2004 at 12:58:04PM -0500, Michael Richardson wrote:
>
> Steve and Thor post about situations where there are per-port selectors
> between two hosts. That does not present a fragmentation problem - you
Not necessarily; one end may be a gateway for the ultimate destination of
the traffic. Think "offload box in front of logging applicance that
doesn't have IPsec".
I have run into a situation analogous to this, that I can't really describe
in detail, that did in fact require both fragmentation and per-port
selectors. Strange but true.
Thor