[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: Mark Duffy <mduffy@quarrytech.com>
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Tero Kivinen <kivinen@iki.fi>
Date: Thu, 26 Feb 2004 17:58:07 +0200
Cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
In-reply-to: <5.2.0.9.0.20040226095435.0208aa50@email>
References: <5.2.0.9.0.20040225161626.020c34e0@email><Your message of "Tue, 24 Feb 2004 17:44:50 EST." <5.2.0.9.0.20040224173754.0290be48@email><5.2.0.9.0.20040226095435.0208aa50@email>
Sender: owner-ipsec@lists.tislabs.com

Mark Duffy writes:
> >In your case you propably wouldn't have resources to encrypt all
> >non-first fragments, thus creating SA for non-first fragments isn't
> >a solution for you?
> 
> Not so.  I do not see encrypting all fragments as a problem at all.  I see 

I was thinking like the environment like syslog and NFS (both using
UDP), where almost all fragmented packets are NFS, and also causing
most of the traffic, but the sensetive packets are syslog, which might
also get fragmented in some cases. 

> mandating that security gateways buffer fragments until such time as they 
> can associate them with the initial fragment as a problem (for high 
> speed/capacity implementations).

The firewalls etc are already doing that on high-speed/capacity
implementations, so it is not impossible. The actual processing power
needed for the processing is low (one hash-table lookup per fragment
per fragmented packet). For non-fragmented packets it does not cause
any performance penalty.

For most of the fragmented packets do come in order, thus the extra
storage requirements can also kept quite low.

> Creating a separate SA for non-initial 
> fragments is acceptable to me, but I believe the wg has rejected this.

Yes.

> Like almost everything, this is a compromise between cost, performance, and 
> protection.  IMO the status quo from 2401 is ok for fragment 
> processing.

I think 2401 is silent about the issue, meaning that there will be
non-interoperable implementations, and I do not think that is
acceptable.

> AFAIK there have not been widespread complaints about it, 
> although others on this list would know much better than I.

I think the port selectors with tunnel mode are not used that much
that people would have noticed. 
-- 
kivinen@safenet-inc.com

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Filtering (RE: Traffic selectors, fragments, ICMP messages and security policy problems)
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread