[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [Ipsec] Stateful fragment check
From: Stephen Kent <kent () bbn ! com>
Date: 2005-01-10 16:57:37
Message-ID: p06200709be086341eb40 () [128 ! 89 ! 89 ! 75]
[Download RAW message or body]
At 8:38 AM -0800 1/8/05, Surya Batchu wrote:
>Hi,
>
>If 'Stateful fragmen check' is required, then the security policies
>on the both communicating security gateways should be configured
>with the 'fragCheck' set to TRUE. It means that, the users
>configuring the policies on these security gateways should know a
>priori that these gateway support this feature. Is that correct?
>
>If so, what are the advantages of negotiating
>IKE_NOTIFY_NON_FIRST_FRAGMENT_ALSO using IKEv2?
An IPsec implementation uses this feature to determine if a peer is
willing to accommodate non-initial fragments on the SA being
negotiated, when the traffic selectors for the SA require inspection
of port fields.
> If there is any mis-configuration of 'fragCheck' flag on IPsec
>peers, then this negotiation helps in notifying the user with
>auditable event and correcting the configuration. This is one
>advantage I see. Are there any other uses of this?
It is not necessarily a mis-configuration, just a different local
policy, just like traffic selectors are local policy info. We need a
way to detect that there would be problems if non-initial fragments
were sent via the SA, just as we want a way to detect if traffic
consistent with specified selectors will be acceptable to a peer. IKE
negotiation accomplishes this.
Steve
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic