[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #49 -- red-side fragmentation option

To: ipsec mailingList <ipsec@xxxxxxxxxxxxxxxxx>
Subject: Re: IPsec issue #49 -- red-side fragmentation option
From: Mark Duffy <mduffy@xxxxxxxxxxxxxx>
Date: Thu, 02 Oct 2003 01:03:28 -0400
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

When an IPsec device sending an outbound packet does red side fragmentation there are at least two possible ways to select SAs for the fragments.

One way is to use the SPD entry selected for the initial packet to process all the created fragments. This has some appeal because the initial packet is more likely to contain the port numbers (i.e. if it was not itself already a fragment).

The other is to create all the fragments first, then search the SPD independently for each fragment. They would then be processed as per Issue #81 "Handling outbound red fragments".

The second way seems correct to me because it puts the sender and receiver on an equal footing for selecting an SPD entry. The receiver of the IPsec-protected fragments is not going to reassemble them, so it will not know which ones came from what initial packet. Therefore I think the sender should not take advantage of the additional information it has.

In any event, shouldn't the discussion of red side fragmentation in 2401bis make a statement on this issue?

--Mark

References:
- 2401bis Issue # 81 -- Handling outbound red fragments
  - From: Karen Seo

Prev by Date: Re: 2401bis Issue # 81 -- Handling outbound red fragments
Next by Date: Re: Final editing instructions for ikev2 document
Previous by thread: Re: 2401bis Issue # 81 -- Handling outbound red fragments
Next by thread: 2401bis Issue # 82 -- Creation of SAs -- clarifications
Index(es):
- Date
- Thread