Question about MAC labels and IP fragment handling
Crist J. Clark
cristjc at earthlink.net
Wed Jan 30 01:03:42 GMT 2002
On Tue, Jan 29, 2002 at 05:06:01PM -0500, Robert Watson wrote:
[snip]
> (3) Assume that IPSO/CIPSO will apply only to the first fragment, and
> ignore such labels on later fragments. (This could be wrong: perhaps
> IPSO/CIPSO should be processed before fragment processing, and be used
> to update the label on the mbuf subject to policy).
Just FYI, RFC 791 specifies that the IP Security Option is copied onto
all fragments.
If fragments are this much of a PITA, what's going to happen if TCP
segments from the same TCP connection come in on different interfaces
(which is much more likely to be seen in the real world than fragments
on different interfaces)?
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list