[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
    >> Before going into details, just to restate my view of how dealing
    >> with fragments should be stated in the RFC:
    >> 
    >> 1. The IPSEC that is applied to all fragments must be exactly the
    >> same that would be applied to the same packet when fully
    >> assembled.
    >> 
    >> 2. Implementaion can limit support for IPSEC on fragments to
    >> policies that don't use port selectors.
    >> 
    >> Above simple and clear, and does not lead to very convoluted
    >> additional specifications.

    Tero> I agree. The above is simple and it covers the most common
    Tero> cases (i.e.  if you do not want to do the first option, then
    Tero> simply do not support fragments and port selectors). Also if
    Tero> your setup is such that option 1 is not possible (for example
    Tero> load balancing between multiple security gateways) do not
    Tero> allow port selectors or do not allow fragments. --

  I concur.

  The requirements:
      1) port-selectors
      2) support fragments
      3) do gateway or BITW

  are conflicting. Pick two.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQFYMb4qHRg3pndX9AQEs0gP/XUtGc1c7TMWOS6C6lkd8gtr2a7C7F1Oj
jUnxoUh/V038rVIQe54EgVjOTDa2Loa7/8poBz1RQITh4H9eBsA6DLL40S0rxOK1
dZaB0/aF0VCDvfIFdZprteEpa+sYNroXGL/hsPj5EermbrX8kLBbQNKqSLIJxMTr
rE8kovD4AbM=
=L3E9
-----END PGP SIGNATURE-----