Re: IPSEC Arch, ports, and tunnel mode SAs

[Stephen Kent <kent@bbn.com>]

Chris,

>Can I set up a tunnel mode SA between two SGs where one of the
>(outbound) selectors is a protocol port?  If so, what do I do when I
>receive an IP fragment on my "non-IPSEC" side?  I can't determine
>which tunnel to send through since I may not have the port info.

Yes, you can set up such an association, but you will have a problem if you
receive fragments, as you observed.  Appropriate of ICMP PMTU can avoid
fragmentation, and many environments do not experience fragmentation due to
various conventions, so it is reasonable to support this selector option.

>Or, is the decision to forward fragments dependent on what I have in
>the ports field of the selector.  That is if the port fields are set
>to "don't care", then I can send fragments.  But, if they are set to
>specific values, then I must drop fragments.

Use of "don't care" works if you really don't care; send a PMTU ICMP to
cause future packets to not be fragments, as the text suggests, if you do
care.

>It seems like a bad idea to me to allow ports as a selector if it
>means that we can't send ip fragments through the tunnels.  (you might
>extend this statement and say it is a bad idea to allow ports as a
>selector for tunnel mode SAs.)

Not all tunnel mode SAs involve gateways, so the latter suggestion is
overkill.  Because there are means of addressing (red) fragment arrival
problems, and because many users will want to employ port filtering at
security gateways, it seems reasonable to retain this feature.

Steve

---

References:

• IPSEC Arch, ports, and tunnel mode SAs
• From: Chris Boscolo <chrisb@watchguard.com>

---

• Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
• Next by Date: Re: IPSEC WORKING GROUP LAST CALL
• Prev by thread: IPSEC Arch, ports, and tunnel mode SAs
• Next by thread: Re: IPSEC Arch, ports, and tunnel mode SAs
• Index(es):
  • Main
  • Thread