Re: CONSENSUS TEST: Fragmentation handling

[Stephen Kent <kent@bbn.com>]

At 9:32 PM +0200 4/6/04, Francis Dupont wrote:
>  In your previous mail you wrote:
>
>    3. An implementation SHOULD support some form of stateful
>    fragment checking for a tunnel mode SA with non-trivial port field
>    values (not ANY or OPAQUE).
>
>=> either the wording is bad or I disagree. What I understand (which
>can be something else the intented meaning) is that stateful fragment
>checking is RECOMMENDED and a simple implementation should not just
>support -1- and only -1-.
>
>Regards
>
>Francis.Dupont@enst-bretagne.fr
>
>PS: I'll strongly object to any thing stronger than a MAY for stateful
>or reassembly strategy on a SG, not only because it makes SGs very
>complex but because it is clearly against one of the purpose of IPsec:
>to provide confidentiality.

Francis,

I proposed was that the stateful fragment checking be a SHOULD, with 
the explicit intent that an implementation may choose to not support 
#3 because of performance considerations. We can mention that 
exception in the text. Would that address your concerns?

Steve