[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and securitypolicy problems



At 23:04 +0200 2/25/04, Tero Kivinen wrote:
>Michael Richardson writes:
>>      Tero> solved. The fragmentation issue is solved when using 
>>transport mode,
>>      Tero> as there cannot be any fragments there. The ICMP issue 
>>is not solved
>>      Tero> there, as ICMPs might still get wrong protection.
>>    Actually, I don't agree.
>>    There can be fragments there (consider 8K NFS over UDP), but one can
>>  assume that the transport layer is sufficiently clued in to the IPsec
>>  layer so that the right SA is "cached".
>
>The rfc2401bis says that "AH and ESP cannot be applied using transport
>mode to IPv4 packets that are fragments.". I.e. in transport mode the
>IPsec is applied to full packets, and then the ESP packet is
>fragmented. This will solve the problem as while we are doing the SA
>selection based on selectors, we always have full packet, not
>fragments, thus we can always see the port numbers.

right.

>
>>    In the case of BITS implementation, the BITS can claim a very large
>>  MTU and do fragmentation itself (either before or after ESP/AH).
>
>No, all implementations using transport mode MUST do framentation
>after ESP/AH. They cannot do it before.

yes, the intent is to fragment after applying IPsec, not before.

Steve