IETF Logo Mail Archive

Re: [IPsec] IKE fragmentation

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 14 March 2013 21:13 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CC4A11E8231 for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 14:13:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFaV7F+yFOXI for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 14:13:23 -0700 (PDT)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id CC59311E8228 for <ipsec@ietf.org>; Thu, 14 Mar 2013 14:13:22 -0700 (PDT)
Received: by mail-ee0-f54.google.com with SMTP id c41so1313453eek.41 for <ipsec@ietf.org>; Thu, 14 Mar 2013 14:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=r+OKd1OwEM+7eK1WQD7po0aN7RMu2j5+iM93s/WbyII=; b=MTt3/0gH4MCr+sUw4e47nqtzxuqAPCzq4D2oPCVMQCq+oMcfrti8chJ1nrqDuAFvIN /VB1hXEskAsqEmQPO2KKk1vNepSeWU7v2E+Nut7O3WKbyH6bKqcbB5tEtGTEYoZoE+Gz v/LoVbrj48I7zmkt/7BP0d7m+V76lp+btsblWuJEk2D67UCHA6so6X4op/Wk/PS+ANK6 S4wMl2uH1S6I5WGjvJstJ1JjLOAnhG6fzOo9nJcJT9+yFnHCRY9kyxf7eyV4HlFqrJoc 8LzGWmu0DS8RYqHRk3/pci+E70sqLWEo0s071UzMjMf69cE6vrYBnQ8a8rJv1KVExOZz 5B+w==
X-Received: by 10.14.215.193 with SMTP id e41mr10790059eep.32.1363295601958; Thu, 14 Mar 2013 14:13:21 -0700 (PDT)
Received: from [10.0.0.5] (bzq-109-64-140-113.red.bezeqint.net. [109.64.140.113]) by mx.google.com with ESMTPS id 46sm6157952eea.3.2013.03.14.14.13.19 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 14 Mar 2013 14:13:20 -0700 (PDT)
Message-ID: <51423D6E.7080409@gmail.com>
Date: Thu, 14 Mar 2013 23:13:18 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: Paul Wouters <paul@cypherpunks.ca>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <51408287.7080207@gmail.com> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <A5B456F7-DE58-4755-95B0-97D5D15D066C@checkpoint.com> <FCC464E01434424EB7EB4365E86F9130@buildpc> <FCFD00C2-2A6F-4D13-A98C-37BE16DD8A35@checkpoint.com> <20801.57047.617753.249763@fireball.kivinen.iki.fi> <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
In-Reply-To: <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir@checkpoint.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 21:13:23 -0000

Hi Paul,

Can't an off-path attacker DoS the gateway if they can guess the SPI 
values? We never mandated that SPIs should be random (except for RFC 
6290, in Sec. 9.3, but this is rarely implemented), so implementations 
are free to use very small integers for the SPIs. In fact I think we 
should reconsider mandating random SPIs once again.

Thanks,
	Yaron

On 03/14/2013 04:51 PM, Paul Wouters wrote:
> On Thu, 14 Mar 2013, Tero Kivinen wrote:
>
>> As earlier explained not doing that allows very wasy DoS attack, which
>> allows IKEv2 to finish by just sending very few packets, i.e. you send
>> one corrupted fragment to the packet and if you do that before
>> responder gets the correct fragment, the responder stores it for
>> reassembly and after it reassembles the packet it will only then
>> notice that the packet is corrupted, and then it needs to throw the
>> whole packet away. It cannot know which of the fragment is corrupted.
>> This means the initiator needs to retransmit whole packet, i.e. all
>> fragments of it, and attacker can do this again.
>
> Note that requires an observer that can see your cookies/spi. Which would
> mean a local attacker, whom could just as easilly send you nonsense
> forged from the remote endpoint - as they are guaranteed to answer
> faster. You'd be decrypting thousands of packets to find the needle in
> the haystack. I wonder what the chances then are that you don't end up
> dropping teh valid fragment.
>
> If the attacker is not local, they need to be in your path to know the
> spi/cookies, and they can just filter out the valid fragments.
>
> But I see your point, it does raise the bar a little bit. Although I'm
> not convinced it's worth it.
>
> Paul
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.14.0 | Report a Bug | By Email