[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
application of security policy to fragments
Hi,
RFC 2401 has a table in sect. 4.4.2 (p. 20) covering how Selectors should
be applied to packets that are IP fragments. I am trying to understand the
rationale behind this.
I believe that the 3rd row of the table (augmented by the note immediately
following the table) implies that a fragment of a tcp (or udp) datagram
should be discarded by a SG if all these points are true:
1. there is an SPD rule specifying protocol tcp (or udp)
2. that rule has source/dest address Selectors compatible with the packet
3. there is no higher-precedence rule in the SPD that matches the packet
Agreed so far?
I surmise that the rationale for this might be to drop all tcp/udp packets
for which, due to the unavaliablity of port numbers in the packet, there is
ambiguity over which if any SPD rule the packet should match. Is that the
point?
If that is the point, it would seem that an SPD rule specifying
protocol=tcp, source_port=ANY, dest_port=ANY should not cause fragmented
tcp packets to be summarily dropped, since the absence of port numbers in
the fragments does not create any ambiguity with respect to that rule.
However, I think the 3rd row of the table in 2410 p. 20 does call for
packets to be dropped in this case. Is this an oversight? Or just done to
simplify things? Other reason??
More generally, and assuming for the sake of discussion that the
source/dest address selectors are all set to ANY, the result seems to be
that if the SPD contains *any* rule(s) specifying protocol=tcp, then *no*
tcp fragments at all could pass, unless matched by a higher prcedence rule
that specifies protocol=ANY. This seems a bit harsh. Is this really the
intended effect?
Thanks, Mark