[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Tero Kivinen <kivinen@iki.fi>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Stephen Kent <kent@bbn.com>
Date: Fri, 20 Feb 2004 09:50:18 -0500
Cc: "Bora Akyol" <bora@cisco.com>, "'Barbara Fraser'" <byfraser@cisco.com>, "'Charles Lynn'" <clynn@bbn.com>, <ipsec@lists.tislabs.com>
In-reply-to: <16438.3734.624347.316169@fireball.acr.fi>
References: <00c301c3f723$fa3577f0$060a0a0a@amer.cisco.com><p06020404bc5ad27a2855@[128.89.89.75]><16438.3734.624347.316169@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com

At 15:41 +0200 2/20/04, Tero Kivinen wrote:
>Stephen Kent writes:
>>  >Yes, and people have figured ways of supporting this
>>  >without needing separate SAs for fragments.
>>  your said "ways" which is plural.  It's not enough for a vendor to
>>  decide how to map a fragment to an SA, since the receiver is supposed
>>  to check each received packet against the selectors for the SA via
>>  which it is received. So, if there is ONE way to do this, and
>>  everybody already does it, and if it accommodates all the possible SA
>>  configurations that a compliant implementation MUST support, then we
>>  should just describe that way in 2401bis.  But, what I fear you are
>>  indicating is that different vendors have different ways of
>>  accommodating fragments, and that these may not be common, which
>>  means that interoperability problems may (will) occur, OR that not
>>  all possible SA configurations will work.  if so, then we need to fix
>>  this situation.
>
>I do not know what others do, or do they support port selectors at
>all. For VPN style setups (== tunnel mode) port selectors are not that
>usefull, I think the most used setup there is tunnel from one IP or
>network to network, and no port selectors at all. They might have
>additional firewall rules after that, checking that only allowed
>protocols are used (smtp, www etc).
>
>Port selectors are more usefull in the host to host case, i.e.
>transport mode, as there you might have per TCP/IP flow SAs (or per
>user SAs). In those cases the IPsec processing is done for the whole
>packet, thus this is non-issue (there are no fragments to be processed
>in the transport mode case).
>
>So we are now only talking about tunnel mode. How often do people use
>tunnel mode along with port selectors? Does anybody have example of
>real world example where it is needed? How does other implemenations
>process the fragmented tunnel mode packet along with SAs with port
>selectors.

We've had analogous debates on this before.  IPsec is NOT just a VPN 
technology and our specs ought not be VPN-specific. I have certainly 
advised folks to use port selectors for tunnels under certain 
instances, e.g., to restrict traffic to a server to be traffic of the 
sort appropriate to that server, based on the well known ports 
associated with the service.

Steve

Follow-Ups:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: "Bora Akyol" <bora@cisco.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: "Bora Akyol" <bora@cisco.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread