[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

Return-Path: <kent@bbn.com>
Received: from [] (comsec.bbn.com [])
	by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id h5UDKEDD009711;
	Mon, 30 Jun 2003 09:20:18 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@po2.bbn.com
Message-Id: <p05100301bb25e874a6a8@[]>
In-Reply-To: <047f01c33cfe$9d912240$0202a8c0@SindhuSriha>
References: <p05210618bb1fd593f2a0@[]>
Date: Mon, 30 Jun 2003 09:19:33 -0400
To: "Srinivasa Rao Addepalli" <srao@intotoinc.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
Cc: <ipsec@lists.tislabs.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)

At 3:51 PM -0700 6/27/03, Srinivasa Rao Addepalli wrote:
>  > >       Outbound Processing steps:
>>  >              - Reassemble the packet (Packet coming from trusted network).
>>  NO. there is no implied reassembly by the transmitter.
>>  I won't comment on the rest of your message since this assumption was
>>  not right and it may influence later parts of your message.
>I am curious on why this is not needed.
>IPSEC SPD supports selector space with not only IP addresses, but also
>with TCP/UDP port values. If some sort of reassembling is not done(either wait
>for all fragments OR maintain reassembly state with IP ID, SIP, DIP), there
>is possibility of mapping the non-first fragments of the packets to the wrong
>security policy. Only first fragment has TCP/UDP information and it chooses
>the correct security policy.
>Complete IP reassembling helps in finding out obvious DoS attacks and
>helps in reducing  the number of encapsulated IPSEC packets.

Each inbound IPsec datagram carries and SPI and that maps uniquely to 
an SA. If one links selector info with each SAD entry (part of the 
simplified processing model I'll bee explaining as we progress), then 
there is no ambiguity about which selectors to match against an 
inbound packet.

If the SA calls for examination of port fields, then yes, non-initial 
fragments cannot be examined, but so long as we make sure the offsets 
are large enough to avoid overwriting these fields, then letting such 
fragments through does not seem like a serious problem. Also, as Tero 
noted in his message, at worst one might buffer, but not reassemble, 
non-initial fragments for an SA under such circumstances.