[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: clarification

To: rohit <rohit@trinc.com>
Subject: Re: clarification
From: Charles Lynn <clynn@bbn.com>
Date: Thu, 12 Mar 98 11:41:01 EST
cc: ipsec@tis.com, kent@bbn.com
Sender: owner-ipsec@ex.tis.com

Rohit,

     Next Hdr          Next Hdr         Derived Port Selector Field
     in Packet         in SPD           Value in SPD and SAD
     ---------------   --------------   ----------------------------

 1)  ESP               ESP or ANY       ANY (i.e., don't look at it)

 2)  -don't care-      ANY              ANY (i.e., don't look at it)

 3)  specific value,   specific value   NOT ANY (i.e., drop packet)
       fragment

 4)  specific value,   specific value   actual port selector field
       not fragment

What the table is trying to convey is that there are interactions
between the selectors used to match SPD or SAD entries themselves and
also with fields in a packet that are not classified as selectors,
i.e., the fragmentation fields.  It tries to be "implementation
neutral" by specifying certain port selector values that result in the
desired behavior.

In cases 1), if the protocol field in the packet identifies an ESP
header, and the protocol selector specifies either ESP or a wildcard,
i.e., the protocol matches, then one cannot use the port selector for
anything as one cannot find port values in the packet to be matched
against the selector values in the SPD or SAD.  The easy way to
specify that "there are no useful port value(s) in the packet" is to
specify the source and destination port selectors as a wildcard -- ANY.

Otherwise in case 2), if the one allows any protocol, then it does
not make any sense to try and specify some explicit port number, so
again, one should ignore the port selectors by specifying ANY port.

Otherwise in case 3), if the IP packet is a fragment and the SPD
requires an explicit protocol, then one cannot say that the packet is
for that protocol, and the packet must be dropped.  Note that in the
case of the first fragment, one might be able to identify the
protocol.  However, since the rest of the fragments will be dropped,
there is no point in letting the first one pass through.  In addition
the first fragment typically has the most useful information in it, if
it is to be audited, so rejecting it immediately may produce more
meaningful diagnostics.

Otherwise in case 4), if the IP packet is not a fragment and is for an
explicit protocol, proceed to match the port fields in the packet with
the port selectors specified in the SPD.  (If that protocol does not
use ports, I would expect the policy administrator to have specified
ANY for the port selectors.)

Does the above answer your questions?

Charlie

Prev by Date: comments on draft-ietf-ipsec-ciph-cbc-02.txt
Next by Date: Re: clarification
Prev by thread: clarification
Next by thread: Re: clarification
Index(es):
- Main
- Thread