[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IP packet fragmentation
> How are IP security transforms applied to fragmented packets (for
> example a 2000 byte PING which is fragmented into a 1500 byte fragment
> (header+data) and 548 byte fragment (header+data))?. Is the packet
> reassembled in the outbound direction and then the security transform
> applied to the entire reassembled packet?
IPsec _must_ be done before fragmentation. This is specified in RFC 1825,
and why this is a good idea is documented in Bellovin's USENIX Security paper
from last summer.
Bump-in-the-stack encryptors are a nice short-term fix, but in the long term,
IPsec NEEDS to dig its meathooks into the general IP code. Basically,
outbound processing is:
1.) create IP headers
2.) Fill in headers
3.) Apply IPsec
4.) Do I fragment? If so, fragment.
5.) Send out the wire.
On inbound packets...
1.) Get off the wire, check if for me. If not, forward.
2.) Reassemble
3.) Apply IPsec
4.) Determine HLP/endpoint/etc.
> or is the security transform applied to the first 1500 byte fragment, and
> 548 byte fragment independently?
NO NO NO! This is bad. I'm sure lots of implementations currently do this,
but it's bad because either:
1.) You have to keep security information per reassembly queue
** OR **
2.) The bad guy can inject fragments of his choosing.
IMPORTANT SAFETY TIP: IPsec, THEN fragment.
--
Daniel L. McDonald - Solaris Internet Engineering || MY OPINIONS ARE NOT
Mail: danmcd@eng.sun.com, danmcd@kebe.com <*> || NOT NECESSARILY SUN'S!
Phone: (415) 786-6815 |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush
Follow-Ups:
References: