[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2nd try
Steve,
I am okay with your recommendations except for the second.
<SNIP>
> > > 2. All implementations MUST support tunnel mode SAs that will carry
> >> only non-initial fragments, separate from non-fragmented packets and
> >> initial fragments. The OPAQUE value will be used to specify port
> >> field selectors for an SA to carry non-initial fragments. Specific
> >> port selector values will be used to define SAs to carry initial
> >> fragments and non-fragmented packets. This approach can be used if a
> >
> >If this is added, I think negotiating it in the IKE using the protocol
> >44 (issue #81), is much cleaner way than the special port values. On
> >the other hand that does not allow negotiation of the only TCP
> >fragments. Perhaps the special port range is then better, i.e. in IKE
> >v2 use port range of 65535-0 (= non-first fragment).
>
> I'm flexible on what the encoding should be for OPAQUE in IKEv2.
>
> > > user or administrator wants to create one or more tunnel mode SAs
> >> between the same source/destination addresses that discriminate based
> >> on port fields. These SAs MUST have non-trivial protocol selector
> >> values, otherwise approach #1 above can be used. Receivers MUST
> >> perform a minimum offset check on IPv4 (non-initial) fragments to
> >> protect against overlapping fragment attacks when SAs of this type
> >> are employed. Because such checks cannot be performed on IPv6
> >> non-initial fragments, users and administrators are advised that
> >> carriage of such fragments may be dangerous, and implementers may
> >> choose to NOT support such SAs for IPv6 traffic. Also, because a SA
> >
> >The beginning says this is MUST, and here you say implementators can
> >choose not to support it. I think it shoud say it is MUST for IPv4 and
> >MAY/SHOULD for IPv6
>
> I intended to convey the notion that it is a MUST for v4, but not for
> v6, for the reason cited. I'm comfortable with a MAY for v6.
>
Why is it a MUST for IPv4 ? You have just mentioned one case as a problematic
case for IPv4 in the conclusion and given a solution as to how one may overcome
this for IPv4. But the earlier sections in the document mentioned a few others
which indicate that one could get into problems by configuring fragment-only SAs.
If the implementation takes the conservative approach of keeping it simple and secure
(Vs performance), isn't MUST a bit too strong ?
thanks
-mohan
- References:
- 2nd try
- From: Stephen Kent <kent@bbn.com>
- 2nd try
- From: Tero Kivinen <kivinen@iki.fi>
- Re: 2nd try
- From: Stephen Kent <kent@bbn.com>