[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONSENSUS TEST: Fragmentation handling

To: ipsec@lists.tislabs.com
Subject: Re: CONSENSUS TEST: Fragmentation handling
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 06 Apr 2004 16:11:48 -0400
In-reply-to: Message from "Theodore Ts'o" <tytso@mit.edu> of "Tue, 06 Apr 2004 12:27:58 EDT." <20040406162758.GA10072@thunk.org>
References: <p06020400bc84e3428b9d@[128.89.89.75]> <16480.15529.482315.278735@fireball.acr.fi> <p06020405bc8617b47e2c@[128.89.89.75]> <016c01c416c3$eb1d8270$861167c0@adithya> <p06020400bc90995b65a1@[128.89.89.75]> <16492.6896.588750.18184@fireball.acr.fi> <p06020407bc91e352bb42@[128.89.89.75]> <16493.10872.196792.111195@fireball.acr.fi> <p06020418bc932db12995@[128.89.89.75]> <20040406162758.GA10072@thunk.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
    Theodore> OK, do we have have consensus on the following text?
    Theodore> (Taken from Steve's message of March 22nd, with #2 changed
    Theodore> to MAY and #3 changed to SHOULD).

    Theodore> Please respond by Friday....

  yes.

  I'm unclear how a responder knows that a non-initial fragment SA is
being negotiated in IKE. Is it based only on the OPAQUE value as 
port-selectors? What about the protocol?

    Theodore> 3. An implementation SHOULD support some form of stateful
    Theodore> fragment checking for a tunnel mode SA with non-trivial
    Theodore> port field values (not ANY or OPAQUE).  Implementations
    Theodore> that will transmit non-initial fragments on a tunnel mode
    Theodore> SA that makes use of non-trivial port selectors MUST
    Theodore> notify a peer via an IKE payload (TBD). The peer MUST

  This seems like a new option to the TSx payload, right?

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQHMPA4qHRg3pndX9AQGVXwQAzUWH3X7GODJEBIk30DapDeLzjOZ1U5G0
er0E4gppkvfy6cePBYt0tBPSDFVM1ig0s0Myk9ABcr0GmnMGVGHzmyBU1chh2InW
Knp8pdY68F2T82UQQAxNQ8YfaJkeqs6L62AUWpIh28rKAXZYYX2OBxeM8E7lQRWK
SBoJElMI9gk=
=tHia
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: CONSENSUS TEST: Fragmentation handling
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: 2nd try
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: 2nd try
  - From: Stephen Kent <kent@bbn.com>
- Re: 2nd try
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: 2nd try
  - From: Stephen Kent <kent@bbn.com>
- CONSENSUS TEST: Fragmentation handling
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: CONSENSUS TEST: Fragmentation handling
Next by Date: Re: Disposition of the IKEv2 ID_KEY_ID type
Previous by thread: Re: CONSENSUS TEST: Fragmentation handling
Next by thread: Re: CONSENSUS TEST: Fragmentation handling
Index(es):
- Date
- Thread