[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
-----BEGIN PGP SIGNED MESSAGE-----
Tero Kivinen <kivinen@iki.fi> wrote:
Tero> solved. The fragmentation issue is solved when using transport mode,
Tero> as there cannot be any fragments there. The ICMP issue is not solved
Tero> there, as ICMPs might still get wrong protection.
Actually, I don't agree.
There can be fragments there (consider 8K NFS over UDP), but one can
assume that the transport layer is sufficiently clued in to the IPsec
layer so that the right SA is "cached".
In the case of BITS implementation, the BITS can claim a very large
MTU and do fragmentation itself (either before or after ESP/AH).
Tero> The vendors have solved this problem differently. As I explained
Tero> earlier for example our implementation will do partial-reassembly
Tero> (i.e. wait for the first-fragment and then forward all fragments to
Tero> same SA) to handle fragments. This will put all fragments to the same
Tero> SA, providing them the same protection.
Yes, at great cost to queueing buffers, and if a fragment is lost, or
goes via another path, you loose.
Tero> For ICMPs you can check the original packet part of the ICMP message
Tero> and see if it contains enough information so you can select
Tero> the proper SA for it (i.e. if the port numbers are available
Tero> use them and select SA based on them). If the ICMP does not
Tero> have enough data (possible in IPv4) to contain selectors, then
Tero> it propably will not have any real
Tero> policy sensitive data anyways, thus sending it using any SA is
Tero> propably ok.
I can agree to this.
It does have profound effects upon tunnel exit policy!
Tero> I think we should add text to rfc2401bis saying that
Tero> If port selectors are used then all data associated with data flow
Tero> MUST be sent to the SA associated with that stream. This all data
Tero> includes normal packets, ICMP messages related to the data flow and
Tero> fragments (first and non-first) of packets. Responder MUST accept all
Tero> data stream related data from SA associated with that stream."
That's sufficient text for me to understand, but maybe more text is
necessary to properly explain the situation. Perhaps your entire message
provides a good basis.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQDutZYqHRg3pndX9AQGgZAP+JVoQ0fnvZCV8nsCoM9VtQQD/pq2W2NoI
Mjw8M3Jm0r3XVLdcwOaVbqRm/73svAcpMkHLUrJTQYbf04h/Qgpih3aznq+gH+Yw
Oa/axPRNk07OSRKy18q0Yo+4RTSBZEgM+WkSBe1z3ANmaUJOOV9j8xU/9hObHs9c
Bse2fxrY3N0=
=wyHE
-----END PGP SIGNATURE-----