Re: 2nd try

[Tero Kivinen <kivinen@iki.fi>]

Stephen Kent writes:
> We would like to have at least one, mandatory way for two IPsec peers 
> to carry fragments via SAs, when port-specific SAs are employed, 
> hence we need at least one approach that is a MUST. The third 
> recommendation would satisfy the requirement, but the reassembly 
> process may be a hardship for very high speed implementations. That's 

I think we should select the most secure protocol (i.e. case #3) as
MUST, and allow #2 protocol for high-speed implementations as MAY.

This way we would always have one MUST to implement version which
allows secure transport of fragments over port selector SAs, and the
requirements would be same for the IPv4 and IPv6.

> why I suggested this option as a MAY. The reason for making the 
> second recommendation the MUST, for IPv4, is because it satisfies the 
> requirement, and does not seem likely to impose performance 
> penalties. It is only a MAY/SHOULD for IPv6 because there are 
> security problems for v6 when dealing with fragments w/o reassembly, 
> as noted in the analysis.

So for IPv6 there is no MUST to implement protocol at all?

> >If  the implementation takes the conservative approach of keeping it 
> >simple and secure
> >(Vs performance), isn't MUST a bit too strong ?
> 
> Reassembly or reassmebly-like state tracking is not simple, although 

It is not that complicated either. Full reassembly code in the netbsd
kernel is about 200 lines (not counting code for general queue macros
etc), our partial and full reassembly code is about 1000 lines (it
does quite a lot more than only partial reassembly).

> if properly implemented it is secure for both IPv4 and v6. That is 
> its major benefit, in my view.

Which is the reason I would like it to be MUST, or at least SHOULD,
and the case #2 to be MAY.
-- 
kivinen@safenet-inc.com