Re: Traffic selectors, fragments, ICMP messages and security policy problems

[Thor Lancelot Simon <tls@rek.tjls.com>]

On Thu, Feb 26, 2004 at 10:13:37AM -0500, Mark Duffy wrote:
> 
> I'm not convinced that is a MUST.  One alternative is to leave this choice 
> to the administrators.  I.e. if they want to protect the non-initial 
> fragments, they do so via SPD rules that match them based on port selectors 
> of "any" or "opaque".

Please, consider the human-factors issues here!  I think that this is a
terrible idea; inevitably, administrators (who may not reasonably be
expected to even truly grasp the concept of IP fragmentation, nor to know
what information appears in initial and subsequent fragments!) will be 
confused by this concept and will inadvertently fail to secure their
systems, while believing that they have, in fact, secured them.

If we make the rule a MUST, we can emphasize that an implementation MAY
implement it by generating and applying additional "any" or "opaque"
port selectors to catch fragments.  But expecting anyone who wishes to
use IPsec and port selectors to understand such protocol details seems
an incredibly poor choice.

All too often, I think, we design systems by the criterion "Can it be
used in a secure fashion" when what we actually care about, in practice,
is "*Will* it be used in a secure fashion".  Then we go away happy with
ourselves for getting the "technical details" right -- except that we've
done so only by declaring the difficult issue of whether users of only
middling intelligence and knowledge will actually be able to correctly
use what we've specified to be out-of-scope.

This would be a particularly bad place to make that mistake.