[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Tero Kivinen <kivinen@iki.fi>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Stephen Kent <kent@bbn.com>
Date: Fri, 20 Feb 2004 17:44:10 -0500
Cc: "Bora Akyol" <bora@cisco.com>, "'Barbara Fraser'" <byfraser@cisco.com>, "'Charles Lynn'" <clynn@bbn.com>, <ipsec@lists.tislabs.com>
In-reply-to: <16438.32792.613873.117981@fireball.acr.fi>
References: <00c301c3f723$fa3577f0$060a0a0a@amer.cisco.com><p06020404bc5ad27a2855@[128.89.89.75]><16438.3734.624347.316169@fireball.acr.fi><p06020404bc5bce7aefa2@[128.89.89.75]><16438.32792.613873.117981@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com

At 23:46 +0200 2/20/04, Tero Kivinen wrote:
>Stephen Kent writes:
>>  We've had analogous debates on this before.  IPsec is NOT just a VPN
>>  technology and our specs ought not be VPN-specific. I have certainly
>>  advised folks to use port selectors for tunnels under certain
>>  instances, e.g., to restrict traffic to a server to be traffic of the
>>  sort appropriate to that server, based on the well known ports
>>  associated with the service.
>
>How have they handled the fragmentation issue in those cases, or have
>the simply assumed that the fragmentation will not happen, and ignored
>all of those packets.

I suggested that they work hard to ensure that there are no fragments 
emitted by hosts within their environments. This works for TCP 
services, which is what was of primary interest, but would not work 
for UDP. We recognized that the lack of detailed specs for how to 
deal with fragments was a problem.

Steve

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: "Bora Akyol" <bora@cisco.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: RE: Traffic Selectors (was SA fragments)
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread