[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems



At 01:47 PM 2/25/2004 -0500, Michael Richardson wrote:
>   Tero> I think we should add text to rfc2401bis saying that
>   Tero>
>   Tero> If port selectors are used then all data associated with data flow
>   Tero> MUST be sent to the SA associated with that stream. This all data
>   Tero> includes normal packets, ICMP messages related to the data flow and
>   Tero> fragments (first and non-first) of packets. Responder MUST accept all
>   Tero> data stream related data from SA associated with that stream."
>
>   Mark> IMO mandating such behavior, with the implied buffering and
>   Mark> state-saving it requires, would place a substantial obstacle
>   Mark> to the availability of high speed, high capacity implementations.
>
>   To date, the only significant deployment that I know of that would
>even use port-selectors is securing L2TP traffic - and that traffic,
>being ultimately a tunnelling protocol which terminates the *UDP* on
>two hosts, should not have a problem.
>
>   Can you name a situation or application that requires high speed, high
>capacity offloading of *per-port* selector granularity?

IPsec incorporates port selectors and the market looks to IPsec equipment 
vendors to support them.  As a vendor, when I ship a box with support for 
port selectors I have to assume my customers will use them.  It has to work 
and it has to perform.

To respond more directly to your question, any situation that requires 
per-port selector granularity at low speed/capacity may require the same 
selector granularity at high speed/capacity if the data rate grows or if 
IPsec is provided at a place in the network where traffic is more highly 
aggregated.  If no one needs per port granularity, let's remove it from 
2401bis; if it is needed, then in some cases it will be needed with high 
performance.

One reason someone might want to encrypt only certain applications would be 
if IPsec implementations that do not run at wire rate are present in the 
network and therefore encryption has to be rationed to the most sensitive apps.

--Mark