Paul, The packets or fragments can go different route, but there is aggregate point where assembly could be done. For example, usually firewall/IPsec are integrated in the same network device. And reassembly must be done when flow-based processing comes into picture.
Thanks, Victor -----Original Message----- From: paul_kon...@dell.com [mailto:paul_kon...@dell.com] Sent: Monday, April 09, 2012 7:50 AM To: k...@bbn.com; Xiangyang zhang Cc: ipsec@ietf.org Subject: RE: [IPsec] draft-zhang-ipsecme-multi-path-ipsec >At 4:50 PM +0000 4/6/12, Xiangyang zhang wrote: >>>Stephen, >> >>You understand this method very well. The disadvantage is the >>possible severity of out of order delivery. Even with single SA, it >>can also cause the out of order problem. As for re-order, just like >>TCP reorder or IP reassembly, it can be done at intermediate node or end host. > >The TCP and IP specs do not envision an intermediary trying to put packets >back in order or performing reassembly. When middle bioxes do this performance >often suffers. In fact, reassembly at intermediate nodes is not possible at all, because IP can route packets on several routes. The full stream of packets is only available at the end points, so that is the only place where reassembly can be done. paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
