[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: Tero Kivinen <kivinen@iki.fi>, ipsec@lists.tislabs.com
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Mark Duffy <mduffy@quarrytech.com>
Date: Tue, 24 Feb 2004 17:44:50 -0500
In-reply-to: <16443.40928.882061.628063@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com

At 09:02 PM 2/24/2004 +0200, Tero Kivinen wrote:
...
>I think we should add text to rfc2401bis saying that
>
>If port selectors are used then all data associated with data flow
>MUST be sent to the SA associated with that stream. This all data
>includes normal packets, ICMP messages related to the data flow and
>fragments (first and non-first) of packets. Responder MUST accept all
>data stream related data from SA associated with that stream."

IMO mandating such behavior, with the implied buffering and state-saving it 
requires, would place a substantial obstacle to the availability of high 
speed, high capacity implementations.

--Mark

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: RE: AD requests WG review of final revisions to draft-ietf-ipsec-nat-reqts-06.txt <= 48hrs please
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and securitypolicy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread