[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues




I'm still somewhat uneasy with this talk about doing IPSEC on
fragments. Say we have a following setup:

 H  <======> SG <-----> S

   H is my host
   SG is security gateway
   S is some server behind the SG

Normally my policy on H would express something like

  Use tunneled IPSEC via SG using ESP (3des, sha1) for all
  communication with server S.

There are cases

1. S replies with fragmented packets

  1.1 SG reassembles the packet, applies IPSEC as required, and the
    result gets fragmented again.

  1.2 SG does not reassemble packet, but applies IPSEC directly to the
    fragments coming from S.

2. S does not fragment packets, and sends them as whole.

  2.1 SG applies IPSEC to packet and sends it out without
    fragmentation (packet is still short enough to fit PMTU)

  2.2 SG applies IPSEC, but the resulting packet needs to be
    fragmented

---------

The bothering thing is:

The H must now be prepared to handle all combinations EQUALLY with
the same dataflow

  - full packets protected with IPSEC
  - full IPSEC:ed packets fragmented
  - fragments with IPSEC applied individually to them

because host H cannot know what type of impelementation SG has
(whether it reassembles packets from S before doing IPSEC or not).

If there are different SA's required for normal and fragment packets,
the implementation must in worst case negotiate 4 SA's for each
connection, to be prepared for all possible variants (fragment and
non-fragment SA for each direction).

If the possibility of the fragments needs to noticed in the policy,
all policies need to be duplicated: one for non-fragmented, and one
for fragmented case.

The fragments may not arrive in order. If the policy is dependent on
specific ports, the recever must remember each applied SA on each
fragment until the full packet is received and the policy can be
checked.

Some optimization is possible, like if two fragments belonging to the
same packet are protected with different SA's, the whole packet is
invalid, and receiver can stop processing the fragments of that
packet. [Note: if fragments are protected with some different SA, then
also the first fragment must use the same].

What if SA's expire between fragments? For example due to bytecount?
Long fragmented packets eat up the replay window fast (I still use 32
bits, need to upgrade I guess)?

I would just forbid doing IPSEC on fragments, and require SG in above
to do reassembly, if S fragmented the packet. The other option is to
disallow port selectors with tunnel mode policies [and thus the policy
could be checked on each fragment individually].