[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec



 In your previous mail you wrote:

   > NO. there is no implied reassembly by the transmitter.
    
   I am curious on why this is not needed.

=> intermediate boxes should not even try to reassemble packets.
There are many reasons, for instance some fragments can follow a
different path, or this increases the latency, etc.

   IPSEC SPD supports selector space with not only IP addresses, but also
   with TCP/UDP port values.

=> a security gateway can get fragments so it doesn't support selectors
which can be in the second fragment. IMHO SPD on a SG should be constrained
to only IP addresses (IPv6 is a bit different, first the flow label is
always available, second some extension headers are on purpose
in all fragments).

   If some sort of reassembling is not done(either wait
   for all fragments OR maintain reassembly state with IP ID, SIP, DIP), there
   is possibility of mapping the non-first fragments of the packets to the
   wrong security policy. Only first fragment has TCP/UDP information

=> this is not true, the TCP/UDP information can be in the second fragment.

   and it chooses the correct security policy. 
   
   Complete IP reassembling helps in finding out obvious DoS attacks and

=> this is the job of a firewall, not the job of a SG.

   helps in reducing  the number of encapsulated IPSEC packets.
   
Regards

Francis.Dupont@enst-bretagne.fr

PS: it seems I have some trouble with the list server: I apologize
if you mbox has already blown with messages developing these arguments.