Re: [IPsec] IKE fragmentation
Paul Wouters <paul@nohats.ca> Wed, 13 March 2013 14:40 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6139621F8C72 for <ipsec@ietfa.amsl.com>; Wed, 13 Mar 2013 07:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[AWL=0.298, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nsTBXO59KwDK for <ipsec@ietfa.amsl.com>; Wed, 13 Mar 2013 07:40:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id C395621F8A41 for <ipsec@ietf.org>; Wed, 13 Mar 2013 07:40:31 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ZQwhF5j0lz1c4; Wed, 13 Mar 2013 10:40:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id fk6SSK2EpF4U; Wed, 13 Mar 2013 10:40:28 -0400 (EDT)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by mx.nohats.ca (Postfix) with ESMTP; Wed, 13 Mar 2013 10:40:28 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id ADAA080860; Wed, 13 Mar 2013 10:40:28 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 9E1F6804F3; Wed, 13 Mar 2013 10:40:28 -0400 (EDT)
Date: Wed, 13 Mar 2013 10:40:28 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <4C4F5DE0838E4DCFBAE31A02D7ED5D33@buildpc>
Message-ID: <alpine.LFD.2.03.1303131036300.27437@nohats.ca>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <alpine.LFD.2.03.1303130941040.27437@nohats.ca> <4C4F5DE0838E4DCFBAE31A02D7ED5D33@buildpc>
User-Agent: Alpine 2.03 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 14:40:32 -0000
On Wed, 13 Mar 2013, Valery Smyslov wrote: >> How is that a DOS attack? In our implementation of the IKEv1 >> fragmentation, we limit the number of fragments to 16. We will >> only need to do any crypto when we received the IKE packet >> marked as "last". Then we do crypto once on the assembled packet >> and throw it away when crypto fails. > > If attacker sends you a forged fragment, you cannot determine this > untill you get reassembled the whole message. When you determine > this you have to discard all received fragments (as you don't know > which of them is bogus) and wait for retransmission. For attacker > it is enough to send you forged fragments with rather low rate > to have a good chance to prevent you from communication with your peer. > > I think this is kind of DoS attack as Initiator is denied to get desired > service (IPsec). But then the attacker has to know the SPI/COOKIES too? So it is an in-path attack. But I see you point. > I think that responder should start replying with fragments > immediately after it receives first fragmented message from initiator, > but not before this event. It is initiator who is responsible > for retransmissions and it is his/her responsibility to > switch on fragmentation. Yes, this case is different for IKEv2. >> Our implementation also does not handle the first packet of an >> exchange to be fragmented, because we have no state to store the >> fragments for. In practise this does not matter because the first >> packet is never large enough to need fragmentation. > > We do the same. So does it make sense to say in the document that the first packet must not be fragmented? Paul
- [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Derek Atkins
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Paul Hoffman
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Yoav Nir
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Valery Smyslov
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul_Koning
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Brian Weis