[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems



Michael Richardson writes:
>     Tero> solved. The fragmentation issue is solved when using transport mode,
>     Tero> as there cannot be any fragments there. The ICMP issue is not solved
>     Tero> there, as ICMPs might still get wrong protection.
>   Actually, I don't agree.
>   There can be fragments there (consider 8K NFS over UDP), but one can 
> assume that the transport layer is sufficiently clued in to the IPsec
> layer so that the right SA is "cached". 

The rfc2401bis says that "AH and ESP cannot be applied using transport
mode to IPv4 packets that are fragments.". I.e. in transport mode the
IPsec is applied to full packets, and then the ESP packet is
fragmented. This will solve the problem as while we are doing the SA
selection based on selectors, we always have full packet, not
fragments, thus we can always see the port numbers. 

>   In the case of BITS implementation, the BITS can claim a very large
> MTU and do fragmentation itself (either before or after ESP/AH).

No, all implementations using transport mode MUST do framentation
after ESP/AH. They cannot do it before. 
-- 
kivinen@safenet-inc.com