[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SAs that carry fragments Was: Re: Some IKEv2 issues
Charles Lynn writes:
> > 4) Fragment only SA, and non-initial fragments
> > point 4 should be left out, as fragment only SAs (issue 81 and 49)
> > in RFC 2401 was rejected, i.e. there is no need to change anything
> > in the IKEv2 document because of that]
>
> My understanding was that the WG rejected the proposal of creating a
> special SA that *only* carried non-initial fragments, not that the
> WG rejected affording fragments (other than IPv4 in transport mode)
> IPsec protection.
True, but there is no need to have any special handing for them, if
the IP addresses of fragment match the traffic selectors of the SA,
then the packet can be sent there. I.e the first fragments, non-first
fragments and full packets all share the same SA.
> The issue that has to be resolved is how fragments are identified (a
> local issue) and communicated using IKEv2's Traffic Selector
> mechanism. Fragments can then be directed to *an appropriate SA* that
> is, or may be, carrying other, not-fragmented, traffic.
>
> Since the transport layer selectors are not available in fragments,
> they are OPAQUE. Thus fragments of TCP packets between A and B could
> be specified as:
Or, it can be said that those packets can only be sent to the SA
having transport layer selectors of ANY (i.e. if it takes any port
range, then it should also accept fragments which match the protocol
even when they actual packet does not have the port numbers in it).
> I think that the IKEv2 document needs to specify which encoding, one
> of the above or something someone else suggests, MUST be used to
> enable interoperability.
I think it should use:
TS {
TSi { ...
{IP=A, Protocol=TCP, Port=ANY(start=0,end=65535)}
...
}
TSr { ...
{IP=B, Protocol=TCP, Port=ANY}
...
}
}
--
kivinen@safenet-inc.com