Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Michael Hertrick <m.hertrick@neovera.com>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/28/2004 13:38:01
--Apple-Mail-48-95299530
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On May 28, 2004, at 1:30 PM, Michael Hertrick wrote:

> If a router must fragment a packet in order to send it over an IPSec 
> tunnel, does it not have to encrypt each fragment separately?  Is 
> encryption more CPU intesnsive than fragmentation?  Would it be much 
> easier for a host or hosts to use fragmentation to consume all 
> available CPU on an IPSec gateway than on a non-IPSec gateway?

I don't really consider that a DoS.  Engineer your system such that you 
can handle the load in all the various cases.

         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-48-95299530
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAt6MqOpVKkaBm8XkRAmkDAJ48GGYpPysTMLZ2N9OEk4yGI7S7EACeJuKK
5uErn7KSS80vFBKzX7pYdKE=
=2WWS
-----END PGP SIGNATURE-----

--Apple-Mail-48-95299530--