[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue # 81 -- Handling outbound red fragments

To: ipsec mailingList <ipsec@xxxxxxxxxxxxxxxxx>
Subject: 2401bis Issue # 81 -- Handling outbound red fragments
From: Karen Seo <kseo@xxxxxxx>
Date: Tue, 30 Sep 2003 01:49:06 -0400
Cc: byfraser@xxxxxxxxx, tytso@xxxxxxx, "Angelos D. Keromytis" <angelos@xxxxxxxxxxxxxxx>, kivinen@xxxxxx, kseo@xxxxxxx
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Folks,

Here's a description and proposed approach for:

IPsec Issue #: 81

Title: Handling outbound red fragments


Description:
=============

    Plaintext	|---------------|   Cyphertext
     Outbound	|               |    Inbound
    ----------->|     IPsec	|<------------
                |    entity 1   |
                |               |
                |---------------|

Although there is some ambiguity, 2401 generally states that SAs configured for transport mode operation do not accept outbound red IP fragments as inputs. In contrast, tunnel mode SAs are allowed to accept outbound red fragments as inputs for BITS, BITW, and security gateway implementations. Accepting outbound fragments raises the question of how to select an SPD entry, since a fragment may be missing applicable selector fields. 2401 indicates that a fragment can be mapped to an SA only if the SA selectors for the unavailable field(s) are marked as OPAQUE or ANY. Should we change how IPsec handles this situation?

Note: While transport mode doesn't work with outbound red IP fragments in IPv4, it would work for IPv6...

a. For IPv4, in each fragment, the IPsec header is inserted between the IPv4 header, which contans the fragmentation-related fields, and the payload. The receiving system processes the fragmentation information before the IPsec header and does reassembly before IPsec processing. It thus ends up with a re-assembled packet containing IPsec headers (as many as there were fragments) interspersed throughout the data.

b. For IPv6, in each fragment, the IPsec header is inserted before the fragmentation-related fields. The receiving system processess the extension headers in order, doing the IPsec processing before reassembly. It thus ends up with a re-assembled packet containing only the original payload and no IPsec headers.

Proposed approach: ================== The current section on how to handle outbound fragments when the port fields may be inaccessible will be replaced by the following approach.

"Between each of pair of IPsec implementations, one or more tunnel-mode SA will be established that are used to carry ONLY non-initial red fragments, if both the source and destination end of the IPsec tunnel-mode SA agree to transmit/receive fragments (as determined via IKE negotiation or manual configuration). To provide this facility, the IPsec implementation MUST support the following:

The SPD entries for the fragment tunnels specify what kind of tunnel mode protections are required and MUST have their selectors specified as follows:

  WILDCARD = a single range that covers all possible values
  OPAQUE = the value is not available, e.g., it's encrypted
           or the protocol doesn't have that selector, etc.
  ANY = opaque or wildcard

Field   	SPD Entry
--------	-------------
src addr 	WILDCARD, flag set to use the packet value
dst addr	WILDCARD, flag set to use the packet value
protocol*	44
src port 	ANY
dst port	ANY
user id		ANY
sec. labels	ANY
mobil. hdr type	ANY
ICMP type	ANY

* IPv6 non-initial fragments use 44 to indicate a fragment.

When an initial fragment is received, its selectors will be used to look up a matching entry (for packets) in the SPD. If necessary, an SA will be created and the appropriate IPsec protection will be applied. Normal SA setup procedures are followed.

When a non-initial fragment is received, the IPsec implementation uses protocol = 44 (fragment) plus the fragment's other selectors (at a minimum, IP source and destination addresses) to look up a matching entry in the SPD. If necessary, an SA will be created and the appropriate IPsec protection will be applied. Normal SA setup procedures are followed.

Because all non-initial fragments will be mapped to SAs using protocol selector = 44, the non-initial fragments will automatically be placed on the SAs intended for their use.

At the receiving end of the fragment SA, the IPsec implementation MUST check and remove the tunnel header, check the fragment's selectors against the selectors of the SA, having set the fragment's "protocol" to 44, and verify that the fragment is a non-initial fragment by looking at the fragment's offset.

There MUST be a mechanism for the administrator to configure a minimum fragment offset value to avoid a non-initial fragment from overwriting selectors in the initial fragment. This MAY be a single value or there MAY be separate values for IPv4 and IPv6. The IPsec implementation MUST verify that the fragment offset is greater than or equal to the minimum offset value.

Thank you,
Karen

Follow-Ups:
- Re: IPsec issue #49 -- red-side fragmentation option
  - From: Mark Duffy
- Re: 2401bis Issue # 81 -- Handling outbound red fragments
  - From: Mark Duffy

Prev by Date: Ietf-apps-tls Suffer from a small penis? psk f
Next by Date: 2401bis Issue # 82 -- Creation of SAs -- clarifications
Previous by thread: Ietf-apps-tls Suffer from a small penis? psk f
Next by thread: Re: 2401bis Issue # 81 -- Handling outbound red fragments
Index(es):
- Date
- Thread