Re: Traffic selectors, fragments, ICMP messages and security policy problems

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


Mark Duffy <mduffy@quarrytech.com> wrote:
    >> I think we should add text to rfc2401bis saying that
    >> 
    >> If port selectors are used then all data associated with data flow
    >> MUST be sent to the SA associated with that stream. This all data
    >> includes normal packets, ICMP messages related to the data flow and
    >> fragments (first and non-first) of packets. Responder MUST accept all
    >> data stream related data from SA associated with that stream."

    Mark> IMO mandating such behavior, with the implied buffering and
    Mark> state-saving it requires, would place a substantial obstacle
    Mark> to the availability of high speed, high capacity implementations.

  To date, the only significant deployment that I know of that would
even use port-selectors is securing L2TP traffic - and that traffic,
being ultimately a tunnelling protocol which terminates the *UDP* on
two hosts, should not have a problem.
  
  Can you name a situation or application that requires high speed, high
capacity offloading of *per-port* selector granularity? 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQDztu4qHRg3pndX9AQGsvwQA3mfD9CJ/1FUKxS90ggs+nSR9OdfWGfOP
Npn1aucJJnWK68qKwgXkyYRGhMrGNv75+geklK5OF8R1qThfjctIczIixj1RBv+C
ZAC0Qy71l243KFlrJmL9VNnRgPV/W91L3KCIC8bvbEwtY+cRXAvuPdFiWBOOP+GG
KGidBHf9c3s=
=Z+I3
-----END PGP SIGNATURE-----