[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems



-----BEGIN PGP SIGNED MESSAGE-----


Tero Kivinen <kivinen@iki.fi> wrote:
    Tero> solved. The fragmentation issue is solved when using transport mode,
    Tero> as there cannot be any fragments there. The ICMP issue is not solved
    Tero> there, as ICMPs might still get wrong protection.

  Actually, I don't agree.

  There can be fragments there (consider 8K NFS over UDP), but one can 
assume that the transport layer is sufficiently clued in to the IPsec
layer so that the right SA is "cached". 
  In the case of BITS implementation, the BITS can claim a very large
MTU and do fragmentation itself (either before or after ESP/AH).

    Tero> The vendors have solved this problem differently. As I explained
    Tero> earlier for example our implementation will do partial-reassembly
    Tero> (i.e. wait for the first-fragment and then forward all fragments to
    Tero> same SA) to handle fragments. This will put all fragments to the same
    Tero> SA, providing them the same protection.

  Yes, at great cost to queueing buffers, and if a fragment is lost, or
goes via another path, you loose.

    Tero> For ICMPs you can check the original packet part of the ICMP message
    Tero> and see if it contains enough information so you can select
    Tero> the proper SA for it (i.e. if the port numbers are available
    Tero> use them and select SA based on them). If the ICMP does not
    Tero> have enough data (possible in IPv4) to contain selectors, then
    Tero> it propably will not have any real 
    Tero> policy sensitive data anyways, thus sending it using any SA is
    Tero> propably ok.

  I can agree to this.
  It does have profound effects upon tunnel exit policy!

    Tero> I think we should add text to rfc2401bis saying that

    Tero> If port selectors are used then all data associated with data flow
    Tero> MUST be sent to the SA associated with that stream. This all data
    Tero> includes normal packets, ICMP messages related to the data flow and
    Tero> fragments (first and non-first) of packets. Responder MUST accept all
    Tero> data stream related data from SA associated with that stream."

  That's sufficient text for me to understand, but maybe more text is
necessary to properly explain the situation. Perhaps your entire message
provides a good basis.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQDutZYqHRg3pndX9AQGgZAP+JVoQ0fnvZCV8nsCoM9VtQQD/pq2W2NoI
Mjw8M3Jm0r3XVLdcwOaVbqRm/73svAcpMkHLUrJTQYbf04h/Qgpih3aznq+gH+Yw
Oa/axPRNk07OSRKy18q0Yo+4RTSBZEgM+WkSBe1z3ANmaUJOOV9j8xU/9hObHs9c
Bse2fxrY3N0=
=wyHE
-----END PGP SIGNATURE-----