[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Tero Kivinen <kivinen@iki.fi>
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Charles Lynn <clynn@bbn.com>
Date: Thu, 19 Feb 2004 11:54:44 -0500 (EST)
Cc: ipsec@lists.tislabs.com, Charles Lynn <clynn@bbn.com>
In-reply-to: <16435.55623.26827.859229@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com

Tero,

> > I think that the IKEv2 document needs to specify which encoding, one
> > of the above or something someone else suggests, MUST be used to
> > enable interoperability.
> 
> I think it should use:
> 
>     TS {
> 	TSi { ...
> 	      {IP=A, Protocol=TCP, Port=ANY(start=0,end=65535)}
> 	      ...
> 	    }
> 	TSr { ...
> 	      {IP=B, Protocol=TCP, Port=ANY}
> 	      ...
> 	    }
>        }

Is the consequence of such an encoding, i.e., that the default "DROP"
rule at the end of the SPD, loses much of its usefulness intentional?

I.e., such a rule would let any TCP packets go through.  Thus if one
anted to only allow, say TCP to port 22, including any fragments, then
the admin would have to insert a rule explicitly saying that ports
0 to 21 and 23 to 65535 should be DROP'ed.  It gets a lot worse if
multiple ports are allowed.

I think that the encoding you propose will result in more SPD
configuration errors and make IPsec harder to manage.

Charlie

Follow-Ups:
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>

References:
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: Re: IANA assignment policies
Next by Date: RE: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
Previous by thread: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread