[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mixed mode datagrams

To: ipsec@tis.com
Subject: Re: mixed mode datagrams
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Wed, 30 Dec 1998 20:32:01 -0500
In-Reply-To: Your message of "Wed, 30 Dec 1998 19:46:23 PST." <199812310346.TAA28678@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Hilarie" == Hilarie K Orman <ho@earth.hpc.org> writes:

    Hilarie> I think you've already been over this, but just to be sure:

    Hilarie> Is it the intention of the specifications to allow an IP
    Hilarie> datagram to be reassembled from a combination of ESP-protected
    Hilarie> fragments tunnelled through different security associations
    Hilarie> (including the possibility of no ESP protection)?

  Before anyone says that this situation should never occur, consider the 
following case:
	SPD:
	src	dst	protocol	src-port	dst-port	alg
1	me/32	you/32	tcp		>1024		80		ESP
2	me/32	you/32	tcp		*		*		AH

  What does one do with the non-initial fragments? They clearly match the
second rule. However, page 19 of rfc2401 says:

        If the packet has been fragmented, then the port information may
        not be available in the current fragment.  If so, discard the
        fragment.  An ICMP PMTU should be sent for the first fragment,
        which will have the port information.  [MAY be supported]

  But, this isn't even really sufficient. If rule #2 alone existed, there
would be no harm in sending out the fragments, since they all match. Due to
the existence of rules #1, however, *all* fragments must be treated in
this way.
  This is one reason that I didn't like the use of explicit priorities in the
SPD. Had we used implicit priorities (i.e. all src masks has higher
sort priority than dst masks, protocol is higher priority than src, and
wildcard has lower priority than explcite value) we would have had to 
write a clear listing of all ambiguous cases, and how they are to be
resolved.
  I heard a Raptor presenter at Interop talking about about how their
firewall resolves these issues, and the BlackHole manual spent 30+ pages
documenting how rules interacted.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.



  


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNorUENiXVu0RiA21AQHyPgMAvPEJ8K+J2NHHFVqCm+7IEJMjB8obIUg8
JJGMz4YZumn8hfwETHDVvKg/G0eAC9mdj5GtB+uB1/97yawz7mMJ2mRG6XyhX2yt
wTpfEs2SK3w8YQ6pqES2g3BLgxfBzkVn
=Qm7E
-----END PGP SIGNATURE-----

References:

mixed mode datagrams

From: "Hilarie K. Orman" <ho@earth.hpc.org>

Prev by Date: Re: Basic IKE authentication question
Next by Date: Re: Basic IKE authentication question
Next by thread: RE: Monitoring MIB: draft-ietf-ipsec-mib-03.txt
Index(es):
- Main
- Thread