[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
Return-Path: <kent@bbn.com>
Received: from [128.89.88.34] (comsec.bbn.com [128.89.88.34])
by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id h5UDKEDD009711;
Mon, 30 Jun 2003 09:20:18 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@po2.bbn.com
Message-Id: <p05100301bb25e874a6a8@[128.89.88.34]>
In-Reply-To: <047f01c33cfe$9d912240$0202a8c0@SindhuSriha>
References: <p05210618bb1fd593f2a0@[10.1.71.211]>
<090b01c33c0c$a709b050$0202a8c0@SindhuSriha>
<p0510030dbb2213246586@[128.89.88.34]>
<047f01c33cfe$9d912240$0202a8c0@SindhuSriha>
Date: Mon, 30 Jun 2003 09:19:33 -0400
To: "Srinivasa Rao Addepalli" <srao@intotoinc.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
Cc: <ipsec@lists.tislabs.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
At 3:51 PM -0700 6/27/03, Srinivasa Rao Addepalli wrote:
> > > Outbound Processing steps:
>> > - Reassemble the packet (Packet coming from trusted network).
>>
>> NO. there is no implied reassembly by the transmitter.
>>
>> I won't comment on the rest of your message since this assumption was
>> not right and it may influence later parts of your message.
>>
>
>I am curious on why this is not needed.
>IPSEC SPD supports selector space with not only IP addresses, but also
>with TCP/UDP port values. If some sort of reassembling is not done(either wait
>for all fragments OR maintain reassembly state with IP ID, SIP, DIP), there
>is possibility of mapping the non-first fragments of the packets to the wrong
>security policy. Only first fragment has TCP/UDP information and it chooses
>the correct security policy.
>
>Complete IP reassembling helps in finding out obvious DoS attacks and
>helps in reducing the number of encapsulated IPSEC packets.
Each inbound IPsec datagram carries and SPI and that maps uniquely to
an SA. If one links selector info with each SAD entry (part of the
simplified processing model I'll bee explaining as we progress), then
there is no ambiguity about which selectors to match against an
inbound packet.
If the SA calls for examination of port fields, then yes, non-initial
fragments cannot be examined, but so long as we make sure the offsets
are large enough to avoid overwriting these fields, then letting such
fragments through does not seem like a serious problem. Also, as Tero
noted in his message, at worst one might buffer, but not reassemble,
non-initial fragments for an SA under such circumstances.
Steve