[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
At 11:10 AM +0200 4/7/04, Francis Dupont wrote:
> In your previous mail you wrote:
>
> > => anything which tries to look at inside my packets violates my
> > confidentiality, and I don't like this at all from something which
> > is supposed to protect it. IMHO a router should not look at something
> > which is not in the IP header, or do you argue we should only use
> > IPsec end-to-end? (I am not against the idea but this is a bit drastic).
>
> We're talking about behavior in an IPsec implementation which enforces
> policy based on port numbers. On the cleartext side, it's *already*
> looking into the packet well past the ip header..
>
>=> I have nothing against an IPsec implementation which enforces policy
>based on port numbers and when a security gateway is colocated with
>a stateful firewall this is the thing to do, so this has to be specified.
>My concern is as a side effect of this specification it seems that
>to enforce policy based on port numbers is RECOMMENDED. I believe the
>issue is in fact in the wording...
>
>Thanks
>
>Francis.Dupont@enst-bretagne.fr
Compliant IPsec implementations have always had to be able to use
port numbers in SPD entries, according to 2401. What we are saying
here is that IF the user/admin is using port numbers in an SPD entry,
AND if he needs to accommodate fragments, THEN support for approach
#3 is RECOMMENDED. But, if the IPsec implementation is not capable of
supporting reassembly or equivalent, stateful processing, then it
need not implement #3.
Steve