[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: ipsec@lists.tislabs.com
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 24 Feb 2004 21:10:29 +0200
In-reply-to: <200402241621.i1OGLATm018207@burp.tkv.asdf.org> (message fromMarkku Savela on Tue, 24 Feb 2004 18:21:10 +0200)
References: <16434.27900.199285.136682@fireball.acr.fi><20040218161436.9707F2051E@wolfe.bbn.com><16435.55623.26827.859229@fireball.acr.fi><p06020402bc59945d05cd@[128.89.89.75]><16438.958.625838.937789@fireball.acr.fi><p06020403bc5bcc947dc8@[128.89.89.75]><20040220175458.GC6177@binky.central.sun.com><p06020412bc5c0ba2452b@[128.89.89.75]><20040220200336.GF6177@binky.central.sun.com> <p0602041cbc5c26b99e65@[128.89.89.75]> <200402241621.i1OGLATm018207@burp.tkv.asdf.org>
Sender: owner-ipsec@lists.tislabs.com


Answering to my own mail, and bringing the issue back to topic...

> The H must now be prepared to handle all combinations EQUALLY with
> the same dataflow
> 
>   - full packets protected with IPSEC
>   - full IPSEC:ed packets fragmented
>   - fragments with IPSEC applied individually to them

My suggestion is:

  IPSEC SA negotiation is based on full packet, and the same SA
  is applied to both full packet and fragments.

This is logical, because fragmentation, whether it happens or not,
should not in any way affect the security of the protected connection.

Thus, it is no concern of IKEv2, whether IPSEC is applied to fragments
or not. It should be left to the IPSEC implementation how they deal
with the fragment issue. It is not an issue for key management.

For example, if your SG does not support (or does not currently have)
port selectors in policy, you can just process packets individually,
whether they are whole or fragments.

If your SG wants to support port selector, it must at minimum buffer
the fragments until the first is received. And if it prepares to do
this, it could also assemble the packet in full and not apply IPSEC
to fragments at all.

References:
- Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Charles Lynn <clynn@bbn.com>
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Markku Savela <msa@burp.tkv.asdf.org>

Prev by Date: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Previous by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread