David Miller writes: > Essentially, if you use ports as part of your selector, > then it is impossible to handle anything other than the > first fragment of a fragmented frame because the subsequent > fragments will not have the ports which you need in order > to match.
If you have port/protocol based selectors and you are firewalling then re-assembly is already being done so IPsec will see the re-assembled packet at little cost. Alternately in a pure IPsec configuration it possible to arrange things so that re-assembly is only done if port/protocol based selectors are used. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
