[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ?

To: "srinivasrao.kulkarni" <srinu@trinc.com>
Subject: Re: Why can't ?
From: Charles Lynn <clynn@bbn.com>
Date: Tue, 17 Mar 98 10:53:04 EST
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>     =============================================================
>    |                  ===SG3*=========*SG5===                    |
>    |                 |                  |    |                   |
>    |                 |===SG4============     |                   |
>  --|-----------------|---                  --|-------------------|--
> |  | Trusted N/W     |   |                |  |  Trusted N/W      |  |
> | H1  -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2  |
> |        Intranet)       |                |          Intranet)      |
>  ------------------------                  -------------------------
>    admin. boundary                            admin. boundary
> 
> Let us consider the following situation
> 
> * SG3, SG4 and SG5 are in between routers.
> * SG1 and SG2 have AH/ESP tunnel.
> * SG3 and SG5 have AH/ESP tunnel.
> * Host H1 sends out the packet destined to H2.
> * SG1 applies IPsec and the packet get fragmented.
> * First fragment reaches SG5 and then to SG2, through SG4 with out any
> IPsec applied since there is no security association between SG4 and SG5.
                                  ====================
                                       SPD entry
> * The rest of the fragments go through the SG3
> 
> Since IPSEC does not process fragments,

I think that this phrase is causing problems.  In the outbound direction,
fragmentation happens after IPSec processing [that says NOTHING about
whether the object to which the IPSec processing is a fragment or not],
and, in the inbound direction, reassembly is performed before IPSec
processing [which says NOTHING about whether the object that results
from the initial IPSec processing, and is handed matched against the
input SPD, is a fragment or not].

> the fragments in the SG3-SG5 tunnel get dropped.

This is not a result of the "IPSEC does not process fragments" clause,
but could happen due to the capabilities/configuration/working group
consensus for IPSec tunnels.

> in the rare case where the PMTU is lower than the threshold or the
> path changes in the middle of a transmission, there could be
> fragments. Is this scenario feasible, in the first place?  We think it
> is possible.

Yes, it can certainly happen.

> Will these fragments be discarded?

It depends on what the working group decides to do, or whether it left
up to vendors to decide on extra product differentiating features they
choose to support.  (See my previous message.)

> Is it essential for them to be discarded?

I suspect that a paranoid security officer would say "yes", while a user
who cannot get either his computer platform/application to do PMTU would
say "no".

Charlie

Prev by Date: Re: draft-ietf-ipsec-ciph-cbc-02.txt
Next by Date: Re: clarification
Prev by thread: Why can't ?
Next by thread: Re: Why can't ?
Index(es):
- Main
- Thread