[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
On Tue, Apr 06, 2004 at 09:32:50PM +0200, Francis Dupont wrote:
> In your previous mail you wrote:
>
> 3. An implementation SHOULD support some form of stateful
> fragment checking for a tunnel mode SA with non-trivial port field
> values (not ANY or OPAQUE).
>
> => either the wording is bad or I disagree. What I understand (which
> can be something else the intented meaning) is that stateful fragment
> checking is RECOMMENDED and a simple implementation should not just
> support -1- and only -1-.
How do you view "RECOMMENDED" as being different from "SHOULD"?
> PS: I'll strongly object to any thing stronger than a MAY for stateful
> or reassembly strategy on a SG, not only because it makes SGs very
> complex but because it is clearly against one of the purpose of IPsec:
> to provide confidentiality.
You lost me there. How does incoming fragment reassembly violate the
goal of confidentiality?
- Ted