[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

To: Markku Savela <msa@burp.tkv.asdf.org>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
From: Stephen Kent <kent@bbn.com>
Date: Mon, 30 Jun 2003 15:32:10 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200306301913.h5UJD88P003320@burp.tkv.asdf.org>
References: <p05210618bb1fd593f2a0@[10.1.71.211]><16122.55806.305977.986255@ryijy.hel.fi.ssh.com><p05210604bb20a15dcd7c@[10.1.71.211]><16128.25732.675945.766298@ryijy.hel.fi.ssh.com><200306301913.h5UJD88P003320@burp.tkv.asdf.org>
Sender: owner-ipsec@lists.tislabs.com

At 10:13 PM +0300 6/30/03, Markku Savela wrote:
>  > From: Tero Kivinen <kivinen@ssh.fi>
>
>>  ----------------------------------------------------------------------
>>    NO_FRAGMENTED_IPSEC_PACKETS		24587
>>
>>    By sending this notification the sender announces that it
>>    will always fragment packets before encapsulating them to
>>    the IPsec packets, i.e the recipient of this notification
>>    MAY drop all fragmented IPSec packets, as they are not
>>    generated by the other end.
>>  ----------------------------------------------------------------------
>
>Sorry about butting in. I have been on vacation and a bit of lost
>here. Are we now planning on MAJOR change in IPSEC, where you APPLY
>IPSEC to fragments?
>
>Otherwise above change makes no sense at all.

IPsec has always been applied to fragments that arrive at an SG, or 
in the case of IPv6, that are emitted by a host internally.

>Previously SG had to assemble the packets before doing IPSEC.

could you remind me of where we said that in 2401?

>So, I
>take above is to make SG's job easier? (Or IPSEC below IP-stack
>implementations). But, then it should limit selectors only to
>addresses, to keep things simple (e.g. if you allow IPSEC on
>fragments, don't even think of making it mandatory to support port
>selectors -- that's same as requiring reassembly anyway).
>
>For bump in the stack implementations, there should be no need for
>IPSEC:ing fragments, ever.
>
>Previously, fragmentation DOS attacks had no relevance to the
>IPSEC. Now, if fragments can be IPSEC:ed, there might be some consern.


Steve

Follow-Ups:
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Markku Savela <msa@burp.tkv.asdf.org>

References:
- IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>
- IKE negotiation for fragmentation controls in IPsec
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Markku Savela <msa@burp.tkv.asdf.org>

Prev by Date: Re: IKEv2: active user identity protection
Next by Date: Re: IKE negotiation for fragmentation controls in IPsec
Prev by thread: Re: IKE negotiation for fragmentation controls in IPsec
Next by thread: Re: IKE negotiation for fragmentation controls in IPsec
Index(es):
- Date
- Thread