[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
Theodore> OK, do we have have consensus on the following text?
Theodore> (Taken from Steve's message of March 22nd, with #2 changed
Theodore> to MAY and #3 changed to SHOULD).
Theodore> Please respond by Friday....
yes.
I'm unclear how a responder knows that a non-initial fragment SA is
being negotiated in IKE. Is it based only on the OPAQUE value as
port-selectors? What about the protocol?
Theodore> 3. An implementation SHOULD support some form of stateful
Theodore> fragment checking for a tunnel mode SA with non-trivial
Theodore> port field values (not ANY or OPAQUE). Implementations
Theodore> that will transmit non-initial fragments on a tunnel mode
Theodore> SA that makes use of non-trivial port selectors MUST
Theodore> notify a peer via an IKE payload (TBD). The peer MUST
This seems like a new option to the TSx payload, right?
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQHMPA4qHRg3pndX9AQGVXwQAzUWH3X7GODJEBIk30DapDeLzjOZ1U5G0
er0E4gppkvfy6cePBYt0tBPSDFVM1ig0s0Myk9ABcr0GmnMGVGHzmyBU1chh2InW
Knp8pdY68F2T82UQQAxNQ8YfaJkeqs6L62AUWpIh28rKAXZYYX2OBxeM8E7lQRWK
SBoJElMI9gk=
=tHia
-----END PGP SIGNATURE-----