[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
In your previous mail you wrote:
3. An implementation SHOULD support some form of stateful
fragment checking for a tunnel mode SA with non-trivial port field
values (not ANY or OPAQUE).
=> either the wording is bad or I disagree. What I understand (which
can be something else the intented meaning) is that stateful fragment
checking is RECOMMENDED and a simple implementation should not just
support -1- and only -1-.
Regards
Francis.Dupont@enst-bretagne.fr
PS: I'll strongly object to any thing stronger than a MAY for stateful
or reassembly strategy on a SG, not only because it makes SGs very
complex but because it is clearly against one of the purpose of IPsec:
to provide confidentiality.