[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues (red side frag)

To: Tero Kivinen <kivinen@ssh.fi>, ipsec@lists.tislabs.com
Subject: Re: 2401bis issues (red side frag)
From: Mark Duffy <mduffy@quarrytech.com>
Date: Fri, 17 Oct 2003 17:31:33 -0400
In-Reply-To: <16269.6172.906127.369445@ryijy.hel.fi.ssh.com>
References: <5.2.0.9.0.20031014162123.02d5d0c8@email><200310141632.h9EGWVCI025756@coredump.cs.columbia.edu><5.2.0.9.0.20031014162123.02d5d0c8@email>
Sender: owner-ipsec@lists.tislabs.com

At 12:49 PM 10/15/2003 +0300, Tero Kivinen wrote:
...
>I.e there will not be special flag for SA that means that red
>fragments OK for this SA. So if red fragments are not going to have
>special inbound handling the issue 81 which proposed creating special
>SA for outbound to them should be reject too.
>
>So the special treatment was proposed. I don't think we have any issue
>in the issue tracker about whether the 2401bis should or should not
>permit red-side fragmentation.

Hi all,

I would like to request that 2401bis lift the prohibition on red-side 
fragmentation by SG, BITS, BITW.

Red side fragmentation when employed can reduce the reassembly burden on 
the IPsec receiver, and with it some potential for DOS attack.  It can also 
increase the performance of the overall solution, by distributing the 
reassembly burden to end hosts.  I know of at least one vendor that offers 
a red-side fragmentation option now, and I believe that other vendors do so 
as well.

After applying red-side fragmentation, the IPsec device would evaluate the 
SPD for each fragment just as though the fragments had been received from 
the black side.  Fragments not containing port numbers can only match a 
rule with port selectors equal to "wildcard" or "opaque", or rules for 
protocols where port numbers are not used.

Since this behavior is pretty much indistinguishable from fragmentation 
that may occur anyway upstream of the IPsec device, I do not see any reason 
to disallow it.

I propose text such as the following, added somewhere in the outbound 
processing description:

     An SG, BITS, or BITW implementation MAY fragment packets before
     applying IPsec.  The device SHOULD have a configuration setting
     to disable this.  The resulting fragments are evaluated against
     the SPD in the normal manner.  Thus, fragments not containing port
     numbers may only match rules having port selectors of "opaque" or
     "wildcard".

Thanks, Mark

P.S. Issues 49 and 81, which requested *special handling* for red-side 
fragmentation have been rejected.  This request is NOT the same as those 
and is in fact much simpler.

References:
- Re: 2401bis issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- 2401bis issues
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
- Re: 2401bis issues
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: revised processing model, take II
Next by Date: 2401bis-00 submitted to IETF
Prev by thread: Re: 2401bis issues
Next by thread: 2401bis issues
Index(es):
- Date
- Thread