[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SAs that carry fragments Was: Re: Some IKEv2 issues
At 15:41 +0200 2/20/04, Tero Kivinen wrote:
>Stephen Kent writes:
>> >Yes, and people have figured ways of supporting this
>> >without needing separate SAs for fragments.
>> your said "ways" which is plural. It's not enough for a vendor to
>> decide how to map a fragment to an SA, since the receiver is supposed
>> to check each received packet against the selectors for the SA via
>> which it is received. So, if there is ONE way to do this, and
>> everybody already does it, and if it accommodates all the possible SA
>> configurations that a compliant implementation MUST support, then we
>> should just describe that way in 2401bis. But, what I fear you are
>> indicating is that different vendors have different ways of
>> accommodating fragments, and that these may not be common, which
>> means that interoperability problems may (will) occur, OR that not
>> all possible SA configurations will work. if so, then we need to fix
>> this situation.
>
>I do not know what others do, or do they support port selectors at
>all. For VPN style setups (== tunnel mode) port selectors are not that
>usefull, I think the most used setup there is tunnel from one IP or
>network to network, and no port selectors at all. They might have
>additional firewall rules after that, checking that only allowed
>protocols are used (smtp, www etc).
>
>Port selectors are more usefull in the host to host case, i.e.
>transport mode, as there you might have per TCP/IP flow SAs (or per
>user SAs). In those cases the IPsec processing is done for the whole
>packet, thus this is non-issue (there are no fragments to be processed
>in the transport mode case).
>
>So we are now only talking about tunnel mode. How often do people use
>tunnel mode along with port selectors? Does anybody have example of
>real world example where it is needed? How does other implemenations
>process the fragmented tunnel mode packet along with SAs with port
>selectors.
We've had analogous debates on this before. IPsec is NOT just a VPN
technology and our specs ought not be VPN-specific. I have certainly
advised folks to use port selectors for tunnels under certain
instances, e.g., to restrict traffic to a server to be traffic of the
sort appropriate to that server, based on the well known ports
associated with the service.
Steve