[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Tero Kivinen <kivinen@iki.fi>
Date: Tue, 16 Mar 2004 12:25:18 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <16329.1079381105@marajade.sandelman.ottawa.on.ca>
References: <5.2.0.9.0.20040225161626.020c34e0@email><Your message of "Tue, 24 Feb 2004 17:44:50 EST." <5.2.0.9.0.20040224173754.0290be48@email><5.2.0.9.0.20040226095435.0208aa50@email><200403051131.i25BV3ji006208@burp.tkv.asdf.org><p06020402bc77a2d65e93@[128.89.89.75]><200403122216.i2CMGFJG016385@burp.tkv.asdf.org><p06020409bc77efd96b26@[128.89.89.75]><200403141340.i2EDeetm003016@burp.tkv.asdf.org><16469.34946.246577.912093@fireball.acr.fi><16329.1079381105@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

Michael Richardson writes:
>   The requirements:
>       1) port-selectors
>       2) support fragments
>       3) do gateway or BITW
> 
>   are conflicting. Pick two.

Actually no. Change the 3rd requirement to:

	3) do multipath gateway or BITW solution, where fragments of a
           packet can go out from different SGW.

You can do gateways and BITWs without problems, but you cannot do that
if you want to support cases where you have multiple SGWs and
fragments of the packet can be split between those SGWs.

How often have you seen that scenario?

There are ways to get even that working, either make sure the all
fragments end up to the same SGW (easy in the load-balancing case,
simply make sure the balancer uses algorithm that will put all
fragments to the same SGW every time, as there are other benefits for
that those boxes usually try to do that anyways (i.e. they try to keep
one TCP/IP stream to use the same path to get TCP/IP work better).

If you cannot have that, then you would need communication between the
boxes about the initial fragments. Again I think that we are now
talking about the 0.01% case thus we can safely ignore it, and say
that do whatever you like.

So to rephrase that statement:

If IPSEC policy decision (AH, ESP, bypass, drop) is applied to
fragments where policy has tunnel mode port selectors, then all
fragments must have exactly the same processing that would be applied
to the same packet when fully assembled. 
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: [no subject]
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread