Re: CONSENSUS TEST: Fragmentation handling

[Stephen Kent <kent@bbn.com>]

At 11:10 AM +0200 4/7/04, Francis Dupont wrote:
>  In your previous mail you wrote:
>
>    > => anything which tries to look at inside my packets violates my
>    > confidentiality, and I don't like this at all from something which
>    > is supposed to protect it. IMHO a router should not look at something
>    > which is not in the IP header, or do you argue we should only use
>    > IPsec end-to-end? (I am not against the idea but this is a bit drastic).
>   
>    We're talking about behavior in an IPsec implementation which enforces
>    policy based on port numbers.  On the cleartext side, it's *already*
>    looking into the packet well past the ip header..
>   
>=> I have nothing against an IPsec implementation which enforces policy
>based on port numbers and when a security gateway is colocated with
>a stateful firewall this is the thing to do, so this has to be specified.
>My concern is as a side effect of this specification it seems that
>to enforce policy based on port numbers is RECOMMENDED. I believe the
>issue is in fact in the wording...
>
>Thanks
>
>Francis.Dupont@enst-bretagne.fr

Compliant IPsec implementations have always had to be able to use 
port numbers in SPD entries, according to 2401. What we are saying 
here is that IF the user/admin is using port numbers in an SPD entry, 
AND if he needs to accommodate fragments, THEN support for approach 
#3 is RECOMMENDED. But, if the IPsec implementation is not capable of 
supporting reassembly or equivalent, stateful processing, then it 
need not implement #3.

Steve