[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec




> From: Tero Kivinen <kivinen@ssh.fi>

> ----------------------------------------------------------------------
>   NO_FRAGMENTED_IPSEC_PACKETS		24587
> 
>   By sending this notification the sender announces that it
>   will always fragment packets before encapsulating them to
>   the IPsec packets, i.e the recipient of this notification
>   MAY drop all fragmented IPSec packets, as they are not
>   generated by the other end.
> ----------------------------------------------------------------------

Sorry about butting in. I have been on vacation and a bit of lost
here. Are we now planning on MAJOR change in IPSEC, where you APPLY
IPSEC to fragments?

Otherwise above change makes no sense at all.

Previously SG had to assemble the packets before doing IPSEC. So, I
take above is to make SG's job easier? (Or IPSEC below IP-stack
implementations). But, then it should limit selectors only to
addresses, to keep things simple (e.g. if you allow IPSEC on
fragments, don't even think of making it mandatory to support port
selectors -- that's same as requiring reassembly anyway).

For bump in the stack implementations, there should be no need for
IPSEC:ing fragments, ever.

Previously, fragmentation DOS attacks had no relevance to the
IPSEC. Now, if fragments can be IPSEC:ed, there might be some consern.