[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
In your previous mail you wrote:
> NO. there is no implied reassembly by the transmitter.
I am curious on why this is not needed.
=> intermediate boxes should not even try to reassemble packets.
There are many reasons, for instance some fragments can follow a
different path, or this increases the latency, etc.
IPSEC SPD supports selector space with not only IP addresses, but also
with TCP/UDP port values.
=> a security gateway can get fragments so it doesn't support selectors
which can be in the second fragment. IMHO SPD on a SG should be constrained
to only IP addresses (IPv6 is a bit different, first the flow label is
always available, second some extension headers are on purpose
in all fragments).
If some sort of reassembling is not done(either wait
for all fragments OR maintain reassembly state with IP ID, SIP, DIP), there
is possibility of mapping the non-first fragments of the packets to the
wrong security policy. Only first fragment has TCP/UDP information
=> this is not true, the TCP/UDP information can be in the second fragment.
and it chooses the correct security policy.
Complete IP reassembling helps in finding out obvious DoS attacks and
=> this is the job of a firewall, not the job of a SG.
helps in reducing the number of encapsulated IPSEC packets.
Regards
Francis.Dupont@enst-bretagne.fr
PS: it seems I have some trouble with the list server: I apologize
if you mbox has already blown with messages developing these arguments.