[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: ipsec@lists.tislabs.com
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Thor Lancelot Simon <tls@rek.tjls.com>
Date: Thu, 26 Feb 2004 18:48:46 -0500
In-reply-to: <20939.1077818284@marajade.sandelman.ottawa.on.ca>
References: <20040226013359.GA683@panix.com> <20939.1077818284@marajade.sandelman.ottawa.on.ca>
Reply-to: tls@rek.tjls.com
Sender: owner-ipsec@lists.tislabs.com
User-agent: Mutt/1.4.2.1i

On Thu, Feb 26, 2004 at 12:58:04PM -0500, Michael Richardson wrote:
> 
> Steve and Thor post about situations where there are per-port selectors
> between two hosts. That does not present a fragmentation problem - you

Not necessarily; one end may be a gateway for the ultimate destination of
the traffic.  Think "offload box in front of logging applicance that 
doesn't have IPsec".

I have run into a situation analogous to this, that I can't really describe
in detail, that did in fact require both fragmentation and per-port 
selectors.  Strange but true.

Thor

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Thor Lancelot Simon <tls@rek.tjls.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: AD requests WG review of final revisions todraft-ietf-ipsec-nat-reqts-06.txt <= 48hrs please
Next by Date: Re: AD requests WG review of final revisions to draft-ietf-ipsec-nat-reqts-06.txt <= 48hrs please
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: [no subject]
Index(es):
- Date
- Thread