I-D Action: draft-roca-ipsecme-ptb-pts-attack-00.txt
internet-drafts@ietf.org Mon, 06 July 2015 14:47 UTC
Return-Path: <internet-drafts@ietf.org>
X-Original-To: i-d-announce@ietfa.amsl.com
Delivered-To: i-d-announce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5447F1A1A5D for <i-d-announce@ietfa.amsl.com>; Mon, 6 Jul 2015 07:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzKA5JQxoIC8 for <i-d-announce@ietfa.amsl.com>; Mon, 6 Jul 2015 07:47:14 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E31431B29F1 for <i-d-announce@ietf.org>; Mon, 6 Jul 2015 07:47:14 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action: draft-roca-ipsecme-ptb-pts-attack-00.txt
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.4.p1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150706144714.28411.20497.idtracker@ietfa.amsl.com>
Date: Mon, 06 Jul 2015 07:47:14 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/i-d-announce/9uw5WABbjWLSAWBbWGPQonmK5sE>
X-BeenThere: i-d-announce@ietf.org
X-Mailman-Version: 2.1.15
Reply-To: internet-drafts@ietf.org
List-Id: Internet Draft Announcements only <i-d-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i-d-announce/>
List-Post: <mailto:i-d-announce@ietf.org>
List-Help: <mailto:i-d-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 14:47:16 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways
Authors : Vincent Roca
Saikou Fall
Filename : draft-roca-ipsecme-ptb-pts-attack-00.txt
Pages : 16
Date : 2015-07-06
Abstract:
This document introduces the "Packet Too Big"-"Packet Too Small"
Internet Control Message Protocol (ICMP) based attack against IPsec
gateways. We explain how an attacker having eavesdropping and packet
injection capabilities, from the unsecure network where he only sees
encrypted packets, can force a gateway to reduce the Path Maximum
Transmission Unit (PMTU) of an IPsec tunnel to the minimum, which can
trigger severe issues for the hosts behind this gateway: with a Linux
host, depending on the PMTU discovery algorithm in use (i.e., PMTUd
versus PLPMTUd) and protocol (TCP versus UDP), the attack either
creates a Denial of Service or major performance penalties. This
attack highlights two fundamental problems, namely: (1) the
impossibility to distinguish legitimate from illegitimate ICMP
packets coming from the untrusted network, and (2) the contradictions
in the way Path MTU is managed by some end hosts when this Path MTU
is below the minimum packet size any link should support because of
the IPsec encapsulation.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-roca-ipsecme-ptb-pts-attack/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
- I-D Action: draft-roca-ipsecme-ptb-pts-attack-00.… internet-drafts