From: Alexey Kuznetsov <[EMAIL PROTECTED]> Date: Tue, 5 Sep 2006 13:05:30 +0400
> Look into old rfc2401, search for word "fragment". > Then search for the same word in new rfc4301. All those 100K of new text > deal with various design bugs in IPsec, mostly with pathologies encountered > in the case of security gateways. (Some section there are real fun: f.e. > look at section 7.2) I even was not aware of this problem. :-) Essentially, if you use ports as part of your selector, then it is impossible to handle anything other than the first fragment of a fragmented frame because the subsequent fragments will not have the ports which you need in order to match. The suggestions in 7.2 involving a seperate SA for the non-first fragments seem totally unrealistic, if you ask me. They even say the idea cannot work with ipv6, what is the point? :-) - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
