[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
At 10:13 PM +0300 6/30/03, Markku Savela wrote:
> > From: Tero Kivinen <kivinen@ssh.fi>
>
>> ----------------------------------------------------------------------
>> NO_FRAGMENTED_IPSEC_PACKETS 24587
>>
>> By sending this notification the sender announces that it
>> will always fragment packets before encapsulating them to
>> the IPsec packets, i.e the recipient of this notification
>> MAY drop all fragmented IPSec packets, as they are not
>> generated by the other end.
>> ----------------------------------------------------------------------
>
>Sorry about butting in. I have been on vacation and a bit of lost
>here. Are we now planning on MAJOR change in IPSEC, where you APPLY
>IPSEC to fragments?
>
>Otherwise above change makes no sense at all.
IPsec has always been applied to fragments that arrive at an SG, or
in the case of IPv6, that are emitted by a host internally.
>Previously SG had to assemble the packets before doing IPSEC.
could you remind me of where we said that in 2401?
>So, I
>take above is to make SG's job easier? (Or IPSEC below IP-stack
>implementations). But, then it should limit selectors only to
>addresses, to keep things simple (e.g. if you allow IPSEC on
>fragments, don't even think of making it mandatory to support port
>selectors -- that's same as requiring reassembly anyway).
>
>For bump in the stack implementations, there should be no need for
>IPSEC:ing fragments, ever.
>
>Previously, fragmentation DOS attacks had no relevance to the
>IPSEC. Now, if fragments can be IPSEC:ed, there might be some consern.
Steve