[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
At 10:36 AM -0700 6/26/03, Srinivasa Rao Addepalli wrote:
>Imagine this scenario:
>As I understand from the description, once SG1 and SG2 negotiate
>and come to understanding, then SG2 can drop fragmented secured
>packets. But the routers in between can fragment the packets.
>To avoid this situation, SG1 has to set the DF bit and PMTU
>processing should be MUST in this case. Is it right to assume that
>all core and edge routers/firewalls in Internet and enterprise support passing
>the ICMP error messages? I keep hearing that most (may be some) firewalls
>can be explicitly configured to discard ICMP error messages.
Any statement of the form "all X in the Internet do Y" is very likely
to be false :-)
In many (most?) current deployments, IPsec is at the perimeter of an
organizational enclave and thus is either parallel to a firewall or
is part of the same system as a firewall. if an IPsec system is
behind a firewall, then one encounters problems with getting IPsec
traffic through, in many cases, just as one might have trouble
getting ICMP traffic through.
Ultimately, the best solution, from a pragmatic and security
perspective, is likely to be a means of determine PMTU that rides
over IPsec, e.g., within a tunnel, and thus avoids the question of
whether any intermediate routers or firewalls play the PMTU discovery
game. It would be possible to do that today, sending ICMP traffic
between two IPsec implementations, encapsulated in a tunnel, if the
SPDs at each end allow it, but we ought to consider a more formal
specification of a mechanism going forward.