Re: [LinkSec] LinkSec 80-2.1AE Teleconference notes 9/16/03
Russ,
Russ is absolutely right. 802.10 allows only two fragments.
We'll have to talk more before accepting or rejecting fragmentation. It
requires at least one max frame size buffer per security association in
the receiver. The 802.10 version also requires rekeying before allowing
the fragment ID to roll over. That's a bit tight on a 32-bit frag ID.
These sorts of things can be overcome, of course, but there are also system
implications:
Consider what happens if you, a switch port, have 50 security associations
to 50 devices on a shared medium LAN, and consider what happens if all 50 send
max-length first fragments, then all 50 send min-length second fragments,
perhaps in response to a broadcast query of some sort. What is the latency
seen by the 51st transmitter?
-- Norm
Russ Housley wrote:
>
> Allyn:
>
> Thanks for the clarifications
>
> I take issue with this comment. It is not true.
>
>>>> .10 fragmentation shouldn't be followed, allows arbitrary fragmentation
>>>
>>
>> I think the person who said this feels that 802.10 allows an arbitrary
>> amount of fragmentation, in this case, more than fragmentation into
>> two segments, and that he feels that he does not want LinkSec to do
>> fragmentation in the same way that 802.10 did.
>
>
> Take a look at IP -- that allows arbitrary fragmentation. The
> fragmentation is 802.10 could only be invoked as a result of crypto
> expansion, so we knew that two fragments was sufficient. Further, by
> breaking the expanded PDU in half, we knew that any subsequent
> encryption from another SDE-enabled bridge would not need fragmentation.
>
> Russ
>
>
>
>