[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Selectors and Transport Layer Protocol
Reading the documetation non-sequentially, as happens when one
implements things and needs to check on one issue here and there, I
happened on Architecture (RFC 2401), page 17
NOTE: To locate the transport protocol, a system has to chain
through the packet headers checking the "Protocol" or "Next
Header" field until it encounters either one it recognizes as
a transport protocol, or until it reaches one that isn't on
its list of extension headers, or until it encounters an ESP
header that renders the transport protocol opaque.
The questions arise
- why not just define it as a check on topmost protocol (in next
header), forget the loop? If I don't wan't any funny wrapping and
tunneling protocols pass, my policy explicitly allows only known
protocols (or a separate firewall does). The "topmost" protocol is
known even for the fragments.
- what is transport protocol anyway? Only UDP or TCP? What if I want
to have selector specifically for IPIP or ESP or AH? (e.g. for
example, for some odd reason, gateway policy might be to do only AH
for packets that already have ESP). Or, if I wanted to do some kinky
IPSEC with fragmented packets?
This just caught my "fuzzy detector" while reading it, at least with
IPv4. "Test the topmost" would remove the fuzzy feeling...
Perhaps it makes more sense with IPv6, but then the wording should be
"skipping non-protocol extension headers" or somesuch? (I don't know
IPv6 well enough at this point).
--
Some additional discussion..
If my policy says to use a specific security bundle for TCP,
do I really intend the same bundle to apply when someone wraps
TCP inside a IPIP tunnel? (Moot question, if IPIP is transport
protocol).
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
Follow-Ups: