[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Stephen Kent <kent@bbn.com>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Tero Kivinen <kivinen@iki.fi>
Date: Fri, 20 Feb 2004 15:41:42 +0200
Cc: "Bora Akyol" <bora@cisco.com>, "'Barbara Fraser'" <byfraser@cisco.com>, "'Charles Lynn'" <clynn@bbn.com>, <ipsec@lists.tislabs.com>
In-reply-to: <p06020404bc5ad27a2855@[128.89.89.75]>
References: <00c301c3f723$fa3577f0$060a0a0a@amer.cisco.com><p06020404bc5ad27a2855@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> >Yes, and people have figured ways of supporting this
> >without needing separate SAs for fragments.
> your said "ways" which is plural.  It's not enough for a vendor to 
> decide how to map a fragment to an SA, since the receiver is supposed 
> to check each received packet against the selectors for the SA via 
> which it is received. So, if there is ONE way to do this, and 
> everybody already does it, and if it accommodates all the possible SA 
> configurations that a compliant implementation MUST support, then we 
> should just describe that way in 2401bis.  But, what I fear you are 
> indicating is that different vendors have different ways of 
> accommodating fragments, and that these may not be common, which 
> means that interoperability problems may (will) occur, OR that not 
> all possible SA configurations will work.  if so, then we need to fix 
> this situation.

I do not know what others do, or do they support port selectors at
all. For VPN style setups (== tunnel mode) port selectors are not that
usefull, I think the most used setup there is tunnel from one IP or
network to network, and no port selectors at all. They might have
additional firewall rules after that, checking that only allowed
protocols are used (smtp, www etc).

Port selectors are more usefull in the host to host case, i.e.
transport mode, as there you might have per TCP/IP flow SAs (or per
user SAs). In those cases the IPsec processing is done for the whole
packet, thus this is non-issue (there are no fragments to be processed
in the transport mode case).

So we are now only talking about tunnel mode. How often do people use
tunnel mode along with port selectors? Does anybody have example of
real world example where it is needed? How does other implemenations
process the fragmented tunnel mode packet along with SAs with port
selectors. 
-- 
kivinen@safenet-inc.com

Follow-Ups:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: "Bora Akyol" <bora@cisco.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread