Hi Steffen, > > It seems to me that it can be done pretty easy by linking the > > reassembly logic > > with replay protection window. > > While it looks like doing the reassembling based on ESP sequence numbers > might be an easy approach, it could be also dangerous. > > Consider a system that encapsulates two flows on different cpus > with the same SA. This system can TX packets in the following > order: > > TX cpu0 inner flow0 SA0: > > Offset: 0 Offset: 100 > [ ESP1 (1500) ] [ ESP3 (1500) ] > [--800--][--800- -][-----1400---] > > -------------------------------------------------------------------------------------- > TX cpu1 inner flow1 SA0: > Offset: 0 Offset: 100 > [ ESP2 (1500) ] [ ESP4 > (1500) ] > [--800--][--800- > -][----1400----] > > > On the receive side, it is not that clear how to reassemble the fragments > from ESP3 and ESP4 into the fragments from ESP1 and ESP2. Maybe some > packet ID in the IP-TFS header could help to identify related fragments.
I'm probably missing something here, but I think that sending side assigns every outgoing IP packet to some SA. Then the packet is added to the ESP message (that may already contain previous packets). If the packet cannot fit into the left space, it is split and the rest of the packet is sent in the next ESP message of the same SA. In this case there must not be situations when one part of the IP packet is sent over one SA and the rest of the packet is sent over different SA. Am I missing something? Regards, Valery. > Steffen _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
