Re: ProxyARP and IPSec - David Miller

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: kuznet@ms2.inr.ac.ru
Cc: hpa@zytor.com, stephen@dino.dnsalias.com, netdev@vger.kernel.org
Subject: Re: ProxyARP and IPSec
Date: Fri, 22 Sep 2006 13:36:46 -0700 (PDT)	[thread overview]
Message-ID: <20060922.133646.68153303.davem@davemloft.net> (raw)
In-Reply-To: <20060905090530.GA17104@ms2.inr.ac.ru>

From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Date: Tue, 5 Sep 2006 13:05:30 +0400

> Look into old rfc2401, search for word "fragment".
> Then search for the same word in new rfc4301. All those 100K of new text
> deal with various design bugs in IPsec, mostly with pathologies encountered
> in the case of security gateways. (Some section there are real fun: f.e.
> look at section 7.2)

I even was not aware of this problem. :-)

Essentially, if you use ports as part of your selector,
then it is impossible to handle anything other than the
first fragment of a fragmented frame because the subsequent
fragments will not have the ports which you need in order
to match.

The suggestions in 7.2 involving a seperate SA for the non-first
fragments seem totally unrealistic, if you ask me.  They even say
the idea cannot work with ipv6, what is the point? :-)

next prev parent reply	other threads:[~2006-09-22 20:36 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-23  0:31 ProxyARP and IPSec H. Peter Anvin
2006-08-23 19:14 ` Thomas Graf
2006-08-23 22:14   ` David Miller
2006-08-23 23:18     ` Alexey Kuznetsov
2006-08-24  1:12       ` H. Peter Anvin
2006-08-24  1:14         ` H. Peter Anvin
2006-08-24  2:20           ` Andy Gay
2006-08-24  4:14             ` H. Peter Anvin
2006-08-24 12:50               ` Alexey Kuznetsov
2006-08-26  4:16                 ` H. Peter Anvin
2006-09-02 15:36                   ` Stephen J. Bevan
2006-09-02 17:30                     ` H. Peter Anvin
2006-09-02 20:54                       ` Stephen J. Bevan
2006-09-05  5:17                         ` H. Peter Anvin
2006-09-04 22:27                       ` Alexey Kuznetsov
2006-09-05  5:12                         ` H. Peter Anvin
2006-09-05  9:05                           ` Alexey Kuznetsov
2006-09-22 20:36                             ` David Miller [this message]
2006-09-23  4:22                               ` Stephen J. Bevan
2006-09-06  2:25                         ` Stephen J. Bevan
2006-08-24 10:50     ` Thomas Graf
2006-09-07 22:28       ` H. Peter Anvin
2006-09-08  7:37         ` Thomas Graf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060922.133646.68153303.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=hpa@zytor.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=netdev@vger.kernel.org \
    --cc=stephen@dino.dnsalias.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.