[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: ipsec@lists.tislabs.com
Subject: Fwd: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Russ Housley <housley@vigilsec.com>
Date: Mon, 22 Mar 2004 12:13:36 -0500
Sender: owner-ipsec@lists.tislabs.com

Apparently my note has been misunderstood by some recipients.  The data on 
www.caida.org is captured on the wide area network.  NFS is rarely seen on 
the wide area network.  Rather, it is used locally within an enterprise, or 
it is carried inside a VPN by remote users who want to appear to be 
local.  My point is that the data on this web site needs to be viewed in 
this context, and it therefore will provide a skewed view that is not 
representative of the traffic that will be used with IPsec.

I hope this provides clarification, not further digression.

Russ

>Date: Wed, 17 Mar 2004 14:26:24 -0500
>To: Tero Kivinen <kivinen@iki.fi>
>From: Russ Housley <housley@vigilsec.com>
>Subject: Re: Traffic selectors, fragments, ICMP messages and security 
>policy problems
>Cc: ipsec@lists.tislabs.com
>
>You may be able to find some data at http://www.caida.org.
>
>Steve Bellovin and I are not convinced that general numbers are really 
>going to provide much insight.  NFS, for example, is a prime user of 
>fragments, but one will not see much NFS traffic on the wide-area 
>Internet.  However, a VPN might be a very different story.
>
>Russ
>
>
>
>At 12:12 PM 3/17/2004 +0200, Tero Kivinen wrote:
>>Does anybody have any statistics how much of the packets in the net
>>are fragmented?

Prev by Date: Re: Remaining open issues for RFC-2401bis
Next by Date: responding to unknown SPIs
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: SPD Cache in 2401bis
Index(es):
- Date
- Thread