[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

At 10:13 PM +0300 6/30/03, Markku Savela wrote:
>  > From: Tero Kivinen <kivinen@ssh.fi>
>>  ----------------------------------------------------------------------
>>    By sending this notification the sender announces that it
>>    will always fragment packets before encapsulating them to
>>    the IPsec packets, i.e the recipient of this notification
>>    MAY drop all fragmented IPSec packets, as they are not
>>    generated by the other end.
>>  ----------------------------------------------------------------------
>Sorry about butting in. I have been on vacation and a bit of lost
>here. Are we now planning on MAJOR change in IPSEC, where you APPLY
>IPSEC to fragments?
>Otherwise above change makes no sense at all.

IPsec has always been applied to fragments that arrive at an SG, or 
in the case of IPv6, that are emitted by a host internally.

>Previously SG had to assemble the packets before doing IPSEC.

could you remind me of where we said that in 2401?

>So, I
>take above is to make SG's job easier? (Or IPSEC below IP-stack
>implementations). But, then it should limit selectors only to
>addresses, to keep things simple (e.g. if you allow IPSEC on
>fragments, don't even think of making it mandatory to support port
>selectors -- that's same as requiring reassembly anyway).
>For bump in the stack implementations, there should be no need for
>IPSEC:ing fragments, ever.
>Previously, fragmentation DOS attacks had no relevance to the
>IPSEC. Now, if fragments can be IPSEC:ed, there might be some consern.