[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
Michael Richardson writes:
> I'm assuming that assembling fragments at either end for checking is
> too expensive for high speed boxes that won't wish to queue.
I don't really belive that. I think there are boxes out there that can
handle 100 MBit/s or even 1 Gbit/s NFS traffic without problems. All
the packets there are fragments (8kB or similar UDP packets), thus
they can reassembly there without problems, and propably even without
any hardware help.
I do not belive it is that hard to do the partial reassembly even in
faster links, especially as it will need special hardware to do the
IPsec encryption at those speeds, and adding partial reassembly for
those few packets that really are fragmented shouldn't be problem.
> That's what we were told on the list.
Ok, I will tell you otherwise, do you belive me :-)
Anyways, if your box is too slow to handle the traffic at full speed,
when there are couple of fragments around, then you either advertise
it with lower speed (not very likely), or you simply ignore the
problem, and say that we do not support fragments with port selectors.
> Tero> You can do gateways and BITWs without problems, but you cannot
> Tero> do that if you want to support cases where you have multiple
> Tero> SGWs and fragments of the packet can be split between those SGWs.
> Right, I agree. But aren't the gateways/BITWs going to assemble the
> fragments in this case?
They need to do partial reassembly, meaning that in normal case
(fragments in order, no dropped packets), the cost is 4+4+2+4 (src ip,
dst ip, id, used spi) bytes per fragment for few seconds. If you are
using 1GBit/s link and sending 8 kB packets fragmented to 6 pieces,
that will mean 16k packet/s. If we assume the total memory needed per
fragment is 32 bytes, and you want to keep them full ttl seconds (say
64 seconds), then you will need 32 MB of buffers to store that
information.
If only 1% of packets are fragments, and they all miss first fragment
for some reason, then you need 66 MB of buffer space to store the
non-first fragments for 64 seconds.
Does anybody have any statistics how much of the packets in the net
are fragmented?
> Tero> If IPSEC policy decision (AH, ESP, bypass, drop) is applied to
> Tero> fragments where policy has tunnel mode port selectors, then all
> Tero> fragments must have exactly the same processing that would be applied
> Tero> to the same packet when fully assembled.
>
> I agree.
--
kivinen@safenet-inc.com
- References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Michael Richardson <mcr@sandelman.ottawa.on.ca>