Re: CONSENSUS TEST: Fragmentation handling

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   > => anything which tries to look at inside my packets violates my
   > confidentiality, and I don't like this at all from something which
   > is supposed to protect it. IMHO a router should not look at something
   > which is not in the IP header, or do you argue we should only use
   > IPsec end-to-end? (I am not against the idea but this is a bit drastic).
   
   We're talking about behavior in an IPsec implementation which enforces
   policy based on port numbers.  On the cleartext side, it's *already*
   looking into the packet well past the ip header..
   
=> I have nothing against an IPsec implementation which enforces policy
based on port numbers and when a security gateway is colocated with
a stateful firewall this is the thing to do, so this has to be specified.
My concern is as a side effect of this specification it seems that
to enforce policy based on port numbers is RECOMMENDED. I believe the
issue is in fact in the wording...

Thanks

Francis.Dupont@enst-bretagne.fr