[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Arch, ports, and tunnel mode SAs
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Chris" == Chris Boscolo <chrisb@watchguard.com> writes:
Chris> I have a question regarding the following change to the IPSEC Arch
Chris> and a tunnel mode SA(s) set up between two SG's.
Chris> Can I set up a tunnel mode SA between two SGs where one of the
Chris> (outbound) selectors is a protocol port? If so, what do I do when
Chris> I receive an IP fragment on my "non-IPSEC" side? I can't
Chris> determine which tunnel to send through since I may not have the
Chris> port info.
My opinion is that you need to put non-initial fragments that match the
your source/destination/protocol for your per-port SA into a queue. When the
initial fragment arrives, you apply your transform to all fragments that
have the same fragment ID, and if you notice that there are still more
fragments to arrive, you note the fragment ID.
Of course, you have to expire the queue, and the noted fragment id.
This is classic stateful packet filtering.
:!mcr!: | Sandelman Software Works Corporation, Ottawa, ON
Michael Richardson |Network and security consulting and contract programming
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNPBkXNiXVu0RiA21AQGrAgMAt3edxO8x5/l7zyNfDpbgwsofRkjR7LQF
QvThXAJ813qDVO/TTzUkMDEIlFMhCABfEnbdgY3/LRaWWKrRvj1r/PENS00BV1c7
FJ26wlsmajf33LCqJmeFTLdPx+WvdSEM
=sBSJ
-----END PGP SIGNATURE-----
References: