Datagram authentication in internet gateways: implications of fragmentation and dynamic routing

The implications of fragmentation and dynamic routing for datagram authentication at the gateway level are discussed. Two protocols are presented that permit varying degrees of fragmentation and dynamic routing, while allowing the gateways to authenticate successive packets belonging to authorized connections. The first adapts to changing paths and fragmentation by keeping state information on a per-packet basis, while the second restricts fragmentation but incurs little state overhead. The two methods vary in implementation complexity, overhead, number of extra packets sent, and host modification requirements. They were designed with different network characteristics in mind, and, since they are not mutually exclusive, both can be incorporated and used depending on the nature of communication. >