[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
At 9:32 PM +0200 4/6/04, Francis Dupont wrote:
> In your previous mail you wrote:
>
> 3. An implementation SHOULD support some form of stateful
> fragment checking for a tunnel mode SA with non-trivial port field
> values (not ANY or OPAQUE).
>
>=> either the wording is bad or I disagree. What I understand (which
>can be something else the intented meaning) is that stateful fragment
>checking is RECOMMENDED and a simple implementation should not just
>support -1- and only -1-.
>
>Regards
>
>Francis.Dupont@enst-bretagne.fr
>
>PS: I'll strongly object to any thing stronger than a MAY for stateful
>or reassembly strategy on a SG, not only because it makes SGs very
>complex but because it is clearly against one of the purpose of IPsec:
>to provide confidentiality.
Francis,
I proposed was that the stateful fragment checking be a SHOULD, with
the explicit intent that an implementation may choose to not support
#3 because of performance considerations. We can mention that
exception in the text. Would that address your concerns?
Steve