cisco4ng wrote:
All,
I have a checkpoint site-to-site VPN that will transfer about 40GB of data
between them. When I read Checkpoint release note, checkpoint recommends
that I use dbedit to modify the parameter "ipsec_dont_fragment" from "true"
to "false" so that large file transfer across the VPN tunnel will not
drop unexpectedly. Here is my question:
1) If that is true, why doesn't checkpoint make the ipsec_dont_fragment
parameter "false" by default?
It breaks PMTU discovery. Being able to configure this is _required_
by the IPsec standards. See section 6.1 and Appendix B of RFC2401
for a much more detailed discussion. I'm not sure if the standards
demand the default to go one way or the other.
2) What is the downside or side-effect for making ipsec_dont_fragment from
"true" to "false"?
It breaks PMTU discovery which can degrade performance. However,
"false" works better for certained crippled IP stacks who don't do
PMTU correctly or when imtermediate systems do things that break PMTU.
I could never get a straight answer on this one from Checkpoint TAC.
They must be smoking crack or something.
Guess they don't even know what standards their software conforms
to.
next question:
when I perform "fw unloadlocal" on SPLAT or Nokia, ip forwarding is
disabled as well. It means that in nokia and SPLAT routing is stopped
at that point. To enable routing on SPLAT I have to perform
"echo 1 > /proc/sys/net/ipv4/ip_forward" or "ipsofwd on admin". Here
is my question:
1) Why in the world checkpoints want to do that? I understand that
they don't want the firewall to be vulnerable during the boot process
(even though the booting process only takes a few minutes)
but turning off routing when performing "fw unloadlocal" just doesn't
make sense. I know that most people use "fw unloadlocal" for
troubleshooting purpose and they want to see if the firewall passing
traffics without any security policies. Now if routing is disabled
by "fw unloadlocal" then no traffics can route across the firewall.
How stupid can that be?
It's the secure thing to do. This is a firewall, a security device
after all. The few times I've wanted to unload local policy, that
is the behavior I wanted, no forwarding. If the default was to
continue forwarding, I would need to do the unload and then quickly
try to disable forwarding before the bad, bad packets crept through
my firewall. I have a window of vulnerability. But I don't have to
worry about that. We fail safe. However, the crazy people want to
have their firewalls running as wide open routers can open them up,
but yeah, they need to enter an extra command.
2) Is it possible to keep routing enable on SPLAT or Nokia boxes after
"fw unloadlocal" without using "echo 1 > /proc/sys/net/ipv4/ip_forward"
or "ipsofws on admin"?
*shrug*
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
| 