[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues (red side frag)

At 12:49 PM 10/15/2003 +0300, Tero Kivinen wrote:
I.e there will not be special flag for SA that means that red
fragments OK for this SA. So if red fragments are not going to have
special inbound handling the issue 81 which proposed creating special
SA for outbound to them should be reject too.

So the special treatment was proposed. I don't think we have any issue
in the issue tracker about whether the 2401bis should or should not
permit red-side fragmentation.

Hi all,

I would like to request that 2401bis lift the prohibition on red-side fragmentation by SG, BITS, BITW.

Red side fragmentation when employed can reduce the reassembly burden on the IPsec receiver, and with it some potential for DOS attack. It can also increase the performance of the overall solution, by distributing the reassembly burden to end hosts. I know of at least one vendor that offers a red-side fragmentation option now, and I believe that other vendors do so as well.

After applying red-side fragmentation, the IPsec device would evaluate the SPD for each fragment just as though the fragments had been received from the black side. Fragments not containing port numbers can only match a rule with port selectors equal to "wildcard" or "opaque", or rules for protocols where port numbers are not used.

Since this behavior is pretty much indistinguishable from fragmentation that may occur anyway upstream of the IPsec device, I do not see any reason to disallow it.

I propose text such as the following, added somewhere in the outbound processing description:

    An SG, BITS, or BITW implementation MAY fragment packets before
    applying IPsec.  The device SHOULD have a configuration setting
    to disable this.  The resulting fragments are evaluated against
    the SPD in the normal manner.  Thus, fragments not containing port
    numbers may only match rules having port selectors of "opaque" or

Thanks, Mark

P.S. Issues 49 and 81, which requested *special handling* for red-side fragmentation have been rejected. This request is NOT the same as those and is in fact much simpler.