[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue # 81 -- Handling outbound red fragments

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: 2401bis Issue # 81 -- Handling outbound red fragments
From: Karen Seo <kseo@bbn.com>
Date: Tue, 30 Sep 2003 01:49:06 -0400
Cc: byfraser@cisco.com, tytso@mit.edu, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi, kseo@bbn.com
Sender: owner-ipsec@lists.tislabs.com

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	81

Title:		Handling outbound red fragments


Description:
=============

     Plaintext	|---------------|   Cyphertext
      Outbound	|               |    Inbound
     ----------->|     IPsec	|<------------
                 |    entity 1   |
                 |               |
                 |---------------|


Although there is some ambiguity, 2401 generally states that SAs 
configured for transport mode operation do not accept outbound red IP 
fragments as inputs. In contrast, tunnel mode SAs are allowed to 
accept outbound red fragments as inputs for BITS, BITW, and security 
gateway implementations. Accepting outbound fragments raises the 
question of how to select an SPD entry, since a fragment may be 
missing applicable selector fields. 2401 indicates that a fragment 
can be mapped to an SA only if the SA selectors for the unavailable 
field(s) are marked as OPAQUE or ANY. Should we change how IPsec 
handles this situation?

Note: While transport mode doesn't work with outbound red IP 
fragments in IPv4, it would work for IPv6...

a. For IPv4, in each fragment, the IPsec header is inserted between 
the IPv4 header, which contans the fragmentation-related fields, and 
the payload.  The receiving system processes the fragmentation 
information before the IPsec header and does reassembly before IPsec 
processing.  It thus ends up with a re-assembled packet containing 
IPsec headers (as many as there were fragments) interspersed 
throughout the data.

b. For IPv6, in each fragment, the IPsec header is inserted before 
the fragmentation-related fields.  The receiving system processess 
the extension headers in order, doing the IPsec processing before 
reassembly.  It thus ends up with a re-assembled packet containing 
only the original payload and no IPsec headers.

Proposed approach:
==================
The current section on how to handle outbound fragments when the port 
fields may be inaccessible will be replaced by the following approach.

"Between each of pair of IPsec implementations, one or more 
tunnel-mode SA will be established that are used to carry ONLY 
non-initial red fragments, if both the source and destination end of 
the IPsec tunnel-mode SA agree to transmit/receive fragments (as 
determined via IKE negotiation or manual configuration). To provide 
this facility, the IPsec implementation MUST support the following:

The SPD entries for the fragment tunnels specify what kind of tunnel 
mode protections are required and MUST have their selectors specified 
as follows:

   WILDCARD = a single range that covers all possible values
   OPAQUE = the value is not available, e.g., it's encrypted
            or the protocol doesn't have that selector, etc.
   ANY = opaque or wildcard

Field   	SPD Entry
--------	-------------
src addr 	WILDCARD, flag set to use the packet value
dst addr	WILDCARD, flag set to use the packet value
protocol*	44
src port 	ANY
dst port	ANY
user id		ANY
sec. labels	ANY
mobil. hdr type	ANY
ICMP type	ANY

   * IPv6 non-initial fragments use 44 to indicate a fragment.

When an initial fragment is received, its selectors will be used to 
look up a matching entry (for packets) in the SPD.  If necessary, an 
SA will be created and the appropriate IPsec protection will be 
applied.  Normal SA setup procedures are followed.

When a non-initial fragment is received, the IPsec implementation 
uses protocol = 44 (fragment) plus the fragment's other selectors (at 
a minimum, IP source and destination addresses) to look up a matching 
entry in the SPD.   If necessary, an SA will be created and the 
appropriate IPsec protection will be applied. Normal SA setup 
procedures are followed.

Because all non-initial fragments will be mapped to SAs using 
protocol selector = 44, the non-initial fragments will automatically 
be placed on the SAs intended for their use.

At the receiving end of the fragment SA, the IPsec implementation 
MUST check and remove the tunnel header, check the fragment's 
selectors against the selectors of the SA, having set the fragment's 
"protocol" to 44, and verify that the fragment is a non-initial 
fragment by looking at the fragment's offset.

There MUST be a mechanism for the administrator to configure a 
minimum fragment offset value to avoid a non-initial fragment from 
overwriting selectors in the initial fragment.  This MAY be a single 
value or there MAY be separate values for IPv4 and IPv6.  The IPsec 
implementation MUST verify that the fragment offset is greater than 
or equal to the minimum offset value.

Thank you,
Karen

Prev by Date: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Next by Date: 2401bis Issue # 84 -- DROP'd outbound packet
Prev by thread: 2401bis Issue # 85 -- DROP'd inbound packet -- does not match SA
Next by thread: 2401bis Issue # 84 -- DROP'd outbound packet
Index(es):
- Date
- Thread