[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis issues (red side frag)
At 12:49 PM 10/15/2003 +0300, Tero Kivinen wrote:
I.e there will not be special flag for SA that means that red
fragments OK for this SA. So if red fragments are not going to have
special inbound handling the issue 81 which proposed creating special
SA for outbound to them should be reject too.
So the special treatment was proposed. I don't think we have any issue
in the issue tracker about whether the 2401bis should or should not
permit red-side fragmentation.
I would like to request that 2401bis lift the prohibition on red-side
fragmentation by SG, BITS, BITW.
Red side fragmentation when employed can reduce the reassembly burden on
the IPsec receiver, and with it some potential for DOS attack. It can also
increase the performance of the overall solution, by distributing the
reassembly burden to end hosts. I know of at least one vendor that offers
a red-side fragmentation option now, and I believe that other vendors do so
After applying red-side fragmentation, the IPsec device would evaluate the
SPD for each fragment just as though the fragments had been received from
the black side. Fragments not containing port numbers can only match a
rule with port selectors equal to "wildcard" or "opaque", or rules for
protocols where port numbers are not used.
Since this behavior is pretty much indistinguishable from fragmentation
that may occur anyway upstream of the IPsec device, I do not see any reason
to disallow it.
I propose text such as the following, added somewhere in the outbound
An SG, BITS, or BITW implementation MAY fragment packets before
applying IPsec. The device SHOULD have a configuration setting
to disable this. The resulting fragments are evaluated against
the SPD in the normal manner. Thus, fragments not containing port
numbers may only match rules having port selectors of "opaque" or
P.S. Issues 49 and 81, which requested *special handling* for red-side
fragmentation have been rejected. This request is NOT the same as those
and is in fact much simpler.