[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues



Stephen Kent writes:
> In 2401, and so far in 2401bis, we have distinguished between ANY and 
> OPAQUE. if we decide to continue to do that, then at a minimum, we 
> would not consider a fragment with no port fields to match an SA that 
> allowed traffic with ANY as the value for port fields.
> 
> Also, If an IPsec implementation has two SA between the same 
> source/dest address pairs, and with the same protocol value(s), but 
> distinguished traffic based on specific (vs. ANY) port fields, then a 
> non-initial fragment cannot be mapped to either SA unambiguously. An 

Actually it can, but it requires little bit work. For example our code
does the following (I do know that this is much more than what is
required by the rfc2401):

	1) If it receives unknown non-first fragment, it will put it
           in the separate queue (queue length and number bytes
           consumed is limited).
	2) When it receives the first-fragment it will find the SA
           suitable for it, and send packet forward.
	3) Then it will search through the non-first fragments queue
           and find other fragments for the packet, and send those
           forward (verifying in the process that the fragments do not
           overwrite the fields used in selecting the SA).
	4) It will create known-fragment entry to database, marking
           that if we see other fragments to this packet, they can be
           sent forward to this SA if they start after this offset.
           This entry will timeout after some time.

This will allow selecting proper SA for each fragment (non-first or
first). Of course the other end needs to do the same processing when
packets are processed to verify the selectors, in this case it is
easier, as the other end has already waited for the first-fragment, so
it will most likely come first (not necessary, the order might have
changed during transit).

So it is not impossible, it simply requires some work. We do not need
to do full reassembly, we simply need to mark that fragment matching
this source/destination/protocol/id should be sent/received from this
SA. 

> analogous problem arises if there is just one, extant SA that matches 
> the addresses and protocol, and we are forced to search the SPD to 
> see if another SA might be appropriate. These observations motivate 
> use of a separate SA to carry fragments, right?

Or to do the fragment handling properly, i.e. put them to the same SA
which haves the non-first fragments. 
-- 
kivinen@safenet-inc.com