[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors

To: ddp@network-alchemy.com
Subject: Re: using por numbers in selectors
From: Paul Koning <pkoning@xedia.com>
Date: Wed, 23 Jun 1999 14:57:58 -0400
Cc: dharkins@network-alchemy.com, ipsec@lists.tislabs.com
References: <199906231650.MAA11334@tonga.xedia.com><199906231744.KAA02470@gallium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Derrell" == Derrell D Piper <ddp@Network-Alchemy.COM> writes:

 Derrell> Fine, the first fragment containing the upper-level protocol
 Derrell> header may have gone a different route.  However, if you let
 Derrell> the rest of the fragments through as a result, I'd argue you
 Derrell> have a security hole.

And if you block them, you have a black hole.  You have a problem
either way, just a different problem.

I think the only real answer is: if you do port based stuff, make sure 
there is no fragmentation of the cleartext.  Otherwise, the world will 
be flaky at best.

	paul

References:

Re: using por numbers in selectors

From: Paul Koning <pkoning@xedia.com>

Re: using por numbers in selectors

From: "Derrell D. Piper" <ddp@network-alchemy.com>

Prev by Date: Re: using por numbers in selectors
Next by Date: RE: IPCP implementations
Prev by thread: Re: using por numbers in selectors
Next by thread: Re: using por numbers in selectors
Index(es):
- Main
- Thread