Thank you, Tero! You've cut right
to the heart of my misunderstanding. I was thinking that with a suitably
matched policy between sender and receiver everything would work fine.
I'm accustomed to the fact that IPv6 fragmentation will not occur
in the network, but it slipped my mind that IPv4 fragmentation may occur
in the network without the knowledge of the sender.
Scott Moonen (smoonen <at> us.ibm.com)
|Tero Kivinen <kivinen <at> iki.fi>
04/13/2007 06:47 AM
|Scott C Moonen/Raleigh/IBM <at> IBMUS
|ipsec <at> ietf.org
|[Ipsec] RFC 4301 and stateful fragment
Scott C Moonen writes:
> Because the fragments will not match the port-119 BYPASS rule, and
> the use of OPAQUE selectors prevents the attacker from injecting fragments
> into the IPsec-protected traffic, it seems to me that the RFC's concern
> can be addressed without stateful fragment checking, and therefore
> MUST above is unwarranted. Can anyone comment on this?
If that MUST is not followed then all fragmented packets using port
119 will be dropped, thus causing the BYPASS rule not work (note, that
packets might leave the sending host as one packet, and they might get
fragmented in the network, thus in the sending host it uses the BYPASS
rule, but on the receiving end it used BYPASS and non-first fragments
The RFC4301 tries to make solutions which allows fragmented packets to
be used, thus it enforces solutions which allows using fragments, not
solutions which prevent using them. Because of this there is this MUST
which makes sure fragmented bypassed traffic will work regardless what
other rules there are.
kivinen <at> safenet-inc.com