[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Field Variance Analysis



In message <199508150308.XAA23251@panix4.panix.com>, "Perry E. Metzger" writes:
>
>Craig Metz writes:
>> 	Again, this is a design question. I can predict that if I send a
>> packet over our routers, it will either get there with its options
>> the same way I sent them or it will get dropped because our filter got it.
>> We have Cisco routers. It just happens that we don't have configurations
>> on our routers that cause them to go munging packets. For that matter,
>> Bill, I've never seen a site in my entire life that has a router that
>> messes with IPv4 options on a packet in transit. Maybe they're more
>> common in your environment.
>
>I recall that you were mentioning IPSO. I seem to vaguely remember
>that CISCOs can be set to add IPSO tags to outgoing packets. This
>would seem to be something that could screw things up. Anyone recall
>if this is the case?

	Cisco routers can add IPSO options to outgoing packets. Question: Can
they *remove* IPSO options from incoming packets? If you set your network up
to symmetrically add and remove the options, the reciever receives the
intended packet.. assuming that the sender didn't send an IPSO packet. The
right solution is that IPSO options be sent by the sender if they're used
at all. An even more right solution, of course, might be to use implicit
labels as part of the security association, but this is something we don't
quite yet have the technology to do (this becomes an easier case of the
intermediate network authentication problem). But if your operational network
has routers that take packets from hosts that never add IPSO and adds IPSO
to them (which I believe is the common case subset of this already rather
pathological case), then a solution is to have the routers strip them before
receipt by the sender. 

	I believe that IP-IP tunneling can also be used creatively to get
around problems where routers muck with IPv4 options. Routers can muck all
they want with the outside packet and the inside packet stays intact end-to-
end. This MIGHT provide a reasonable solution for many cases. Compare with
proposals to IP-IP tunnel if you have any IPv4 options. This shifts the extra
overhead to the less common case, IMO.

									-Craig