Why can't ?
"srinivasrao.kulkarni" <srinu@trinc.com> Thu, 12 March 1998 14:25 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA29346 for ipsec-outgoing; Thu, 12 Mar 1998 09:25:30 -0500 (EST)
Message-Id: <3.0.1.32.19960101172534.006a406c@192.9.200.10>
X-Sender: srinu@192.9.200.10
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Mon, 01 Jan 1996 17:25:34 +0500
To: ipsec@tis.com
From: "srinivasrao.kulkarni" <srinu@trinc.com>
Subject: Why can't ?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Hi All, With respect to the draft draft-ietf-ipsec-arch-sec-03.txt Case 3. This case combines cases 1 and 2, adding end-to-end security between the sending and receiving hosts. It imposes no new requirements on the hosts or security gateways, other than a requirement for a security gateway to be configurable to pass IPsec traffic (including ISAKMP traffic) for hosts behind it. ============================================================= | | | ======================= | | | | | --|-----------------|--- --|-------------------|-- | | | | | | | | | H1* -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2* | | Intranet) | | Intranet) | ------------------------ ------------------------- admin. boundary admin. boundary Here consider that the host H1 sends out fragments or the incoming packets to the SG1 are fragmented then * Whether such situation arises that the incoming packets to a security gateway are fragmented ?. * What the security gateway does in such situation ?. Does it reassembles all the packets (eventhough they are not destined for it, because reassembly occurs only at the destination) and apply tunnel mode i.e do IPsec processing on the reassembled packet and sends it out with or with out fragmentation as needed. * Does it discards the packet since a fragment has came to the IPsec processing ?. * Why can't we apply IPsec processing on frgaments( I did not get anything from the explaination given in the draft)?. If its only due to the src and dest ports ( which we can't get from the frgaments and if it is ESP ) then that is not sufficient reason to discard fragment fron the IPsec processing, because most of the time the packet will be get fragmented or it will be in ESP mode. If we can apply IPsec on fragments then we can avoid the unneccessary reassembly at the SG1 just to apply IPsec. Thank U in advance Bridging the gap between hardware and software with best wishes - K. SrinivasRao(email : srinu@trinc.com )
- Why can't ? srinivasrao.kulkarni