Re: SAs that carry fragments Was: Re: Some IKEv2 issues

[Tero Kivinen <kivinen@iki.fi>]

Charles Lynn writes:
> I.e., such a rule would let any TCP packets go through.  Thus if one
> anted to only allow, say TCP to port 22, including any fragments, then
> the admin would have to insert a rule explicitly saying that ports
> 0 to 21 and 23 to 65535 should be DROP'ed.  It gets a lot worse if
> multiple ports are allowed.

But any OPAQUE rule will allow attacks against the fragmentation code
for the host anyways, so what is the problem of sending any non-first
fragments in the same TCP 22 SA? Are you saying that TCP 22 rule does
not allow fragments of the TCP 22 packets to get through (see my
previous posting of how to match fragments to the SAs).

We have been earlier talking whether TCP 22 rule should also allow
PMTU ICMPs etc to go through, and now we are talking to whether to
allow framented packets go through.

I think the TCP 22 rule should allow all traffic directly related to
TCP streams to port 22 through, meaning normal packets, fragmented
packets (all fragments, including non-first fragments), ICMPs related
to the TCP stream (PMTU, host unreachable, etc).

Creating separate SA for each of those would be quite annoying (i.e.
you need to create separate SA for ICMP traffic (and you need to
filter out those ICMP traffic which do not correspond to the real TCP
sessions in active, like faked host unreachable messages etc), and
separate SA for non-first fragments etc. 
-- 
kivinen@safenet-inc.com