[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and securitypolicy problems
At 23:04 +0200 2/25/04, Tero Kivinen wrote:
>Michael Richardson writes:
>> Tero> solved. The fragmentation issue is solved when using
>>transport mode,
>> Tero> as there cannot be any fragments there. The ICMP issue
>>is not solved
>> Tero> there, as ICMPs might still get wrong protection.
>> Actually, I don't agree.
>> There can be fragments there (consider 8K NFS over UDP), but one can
>> assume that the transport layer is sufficiently clued in to the IPsec
>> layer so that the right SA is "cached".
>
>The rfc2401bis says that "AH and ESP cannot be applied using transport
>mode to IPv4 packets that are fragments.". I.e. in transport mode the
>IPsec is applied to full packets, and then the ESP packet is
>fragmented. This will solve the problem as while we are doing the SA
>selection based on selectors, we always have full packet, not
>fragments, thus we can always see the port numbers.
right.
>
>> In the case of BITS implementation, the BITS can claim a very large
>> MTU and do fragmentation itself (either before or after ESP/AH).
>
>No, all implementations using transport mode MUST do framentation
>after ESP/AH. They cannot do it before.
yes, the intent is to fragment after applying IPsec, not before.
Steve