[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
>> Before going into details, just to restate my view of how dealing
>> with fragments should be stated in the RFC:
>>
>> 1. The IPSEC that is applied to all fragments must be exactly the
>> same that would be applied to the same packet when fully
>> assembled.
>>
>> 2. Implementaion can limit support for IPSEC on fragments to
>> policies that don't use port selectors.
>>
>> Above simple and clear, and does not lead to very convoluted
>> additional specifications.
Tero> I agree. The above is simple and it covers the most common
Tero> cases (i.e. if you do not want to do the first option, then
Tero> simply do not support fragments and port selectors). Also if
Tero> your setup is such that option 1 is not possible (for example
Tero> load balancing between multiple security gateways) do not
Tero> allow port selectors or do not allow fragments. --
I concur.
The requirements:
1) port-selectors
2) support fragments
3) do gateway or BITW
are conflicting. Pick two.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQFYMb4qHRg3pndX9AQEs0gP/XUtGc1c7TMWOS6C6lkd8gtr2a7C7F1Oj
jUnxoUh/V038rVIQe54EgVjOTDa2Loa7/8poBz1RQITh4H9eBsA6DLL40S0rxOK1
dZaB0/aF0VCDvfIFdZprteEpa+sYNroXGL/hsPj5EermbrX8kLBbQNKqSLIJxMTr
rE8kovD4AbM=
=L3E9
-----END PGP SIGNATURE-----
- References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>