[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Charles Lynn <clynn@xxxxxxx>
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Thu, 19 Feb 2004 15:06:08 -0600
Cc: Bora Akyol <bora@xxxxxxxxx>, kent@xxxxxxx, kivinen@xxxxxx, byfraser@xxxxxxxxx, ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
Mail-followup-to: Charles Lynn <clynn@bbn.com>, Bora Akyol <bora@cisco.com>, kent@bbn.com, kivinen@iki.fi, byfraser@cisco.com, ipsec@lists.tislabs.com
References: <> <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4i

On Thu, Feb 19, 2004 at 03:38:58PM -0500, Charles Lynn wrote:
> > Delay policy evaluation until fragmented packets are reassembled?  This
> > might be fine for transport mode SAs [but not for tunnel mode SAs?].
> 
> It requires memory in, e.g., a security gateway, code to do
> fragmentation and reassembly, and makes it harder to keep up with line
> rate.

Which is why I thought this would be fine for transport-mode scenarios
but maybe not for tunnel-mode.  Of course, in the case of SGs there's
likely to be very few live SAs per client, so this may be a non-issue.

I'm not up on the whole thread, so I'll go back to lurking now.  I just
wanted to make sure that multi-user peers w/ transport mode SAs remained
workable.

Nico
--

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Bora Akyol
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Charles Lynn

Prev by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread