[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2nd try

To: "Tero Kivinen" <kivinen@iki.fi>, "Stephen Kent" <kent@bbn.com>
Subject: Re: 2nd try
From: "Mohan Parthasarathy" <mohanp@sbcglobal.net>
Date: Tue, 30 Mar 2004 18:00:19 -0800
Cc: <ipsec@lists.tislabs.com>, "russ housley" <housley@vigilsec.com>
References: <p06020400bc84e3428b9d@[128.89.89.75]> <16480.15529.482315.278735@fireball.acr.fi> <p06020405bc8617b47e2c@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

 Steve,

I am okay with your recommendations except for the second.

<SNIP>

    > >  > 2. All implementations MUST support tunnel mode SAs that will carry
> >>  only non-initial fragments, separate from non-fragmented packets and
> >>  initial fragments. The OPAQUE value will be used to specify port
> >>  field selectors for an SA to carry non-initial fragments. Specific
> >>  port selector values will be used to define SAs to carry initial
> >>  fragments and non-fragmented packets. This approach can be used if a
> >
> >If this is added, I think negotiating it in the IKE using the protocol
> >44 (issue #81), is much cleaner way than the special port values. On
> >the other hand that does not allow negotiation of the only TCP
> >fragments. Perhaps the special port range is then better, i.e. in IKE
> >v2 use port range of 65535-0 (= non-first fragment).
> 
> I'm flexible on what the encoding should be for OPAQUE in IKEv2.
> 
> >  > user or administrator wants to create one or more tunnel mode SAs
> >>  between the same source/destination addresses that discriminate based
> >>  on port fields.  These SAs MUST have non-trivial protocol selector
> >>  values, otherwise approach #1 above can be used. Receivers MUST
> >>  perform a minimum offset check on IPv4 (non-initial) fragments to
> >>  protect against overlapping fragment attacks when SAs of this type
> >>  are employed. Because such checks cannot be performed on IPv6
> >>  non-initial fragments, users and administrators are advised that
> >>  carriage of such fragments may be dangerous, and implementers may
> >>  choose to NOT support such SAs for IPv6 traffic. Also, because a SA
> >
> >The beginning says this is MUST, and here you say implementators can
> >choose not to support it. I think it shoud say it is MUST for IPv4 and
> >MAY/SHOULD for IPv6
> 
> I intended to convey the notion that it is a MUST for v4, but not for 
> v6, for the reason cited. I'm comfortable with a MAY for v6.
> 
Why is it a MUST for IPv4 ? You have just mentioned one case as a problematic
case for IPv4 in the conclusion and given a solution as to how one may overcome
this for IPv4. But the earlier sections in the document mentioned a few others
which indicate that one could get into problems by configuring fragment-only SAs.
If  the implementation takes the conservative approach of keeping it simple and secure
(Vs performance), isn't MUST a bit too strong ? 

thanks
-mohan

Follow-Ups:
- Re: 2nd try
  - From: Stephen Kent <kent@bbn.com>

References:
- 2nd try
  - From: Stephen Kent <kent@bbn.com>
- 2nd try
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: 2nd try
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Issue 83 will be withdrawn
Next by Date: clarification on IKEv2 with EAP
Previous by thread: Re: 2nd try
Next by thread: Re: 2nd try
Index(es):
- Date
- Thread