[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
Markku Savela writes:
> Before going into details, just to restate my view of how dealing with
> fragments should be stated in the RFC:
>
> 1. The IPSEC that is applied to all fragments must be exactly the same
> that would be applied to the same packet when fully assembled.
>
> 2. Implementaion can limit support for IPSEC on fragments to policies
> that don't use port selectors.
>
> Above simple and clear, and does not lead to very convoluted
> additional specifications.
I agree. The above is simple and it covers the most common cases (i.e.
if you do not want to do the first option, then simply do not support
fragments and port selectors). Also if your setup is such that option
1 is not possible (for example load balancing between multiple
security gateways) do not allow port selectors or do not allow
fragments.
--
kivinen@safenet-inc.com
- References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>