IETF Logo Mail Archive

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 30 May 2022 15:20 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DA6C1A7F2A; Mon, 30 May 2022 08:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnsZHayfvh6n; Mon, 30 May 2022 08:20:51 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C617BC1A7F28; Mon, 30 May 2022 08:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=aQNb63osm2mjX7QkUAGnsts/a3OvTs5OrN+PcCvL5pM=; b=lAM7ERPjLdwsCTJL6UgWJJo3RZ RuNzI4dVCbEjnZowV5uQiGN53Z8RKQV3qzphm9csH7MDdEHhjRq2UWecN3alLGMIwL4OTgpAsUkFm HTIqjy6QURnto2BfPXynQZxVOCtyjrl4T1+dY024NTLmARhsDpdbeV6LEoVZLtpUWVwI7qwmhx/M1 KvMV7WfkMp+qLjjGdMSI3n0GctMMqZaU9B3wwcqt4XOSPoUyqA73xemFXHSxZ7kVJhbbhaJFk6rxR n4PrXZS9cb1iDgafLA0H/L3ECsJ4dZSywTnu3cmqVGwA5ztz/XjSOHKzLI+veixPzysp4RGzbh5wh GbYK/srQ==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:52158 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1nvhCI-00Cyym-41; Mon, 30 May 2022 11:20:50 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_0CC112FB-5B3A-4176-8585-A142DD67AC3A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <9d37d517-b6ff-6965-40a2-67f5c2a3e476@huitema.net>
Date: Mon, 30 May 2022 08:20:43 -0700
Cc: Valery Smyslov <svan@elvis.ru>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Message-Id: <183D552C-A06A-4DD4-92B9-6FEF7B9DCED1@strayalpha.com>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <9d37d517-b6ff-6965-40a2-67f5c2a3e476@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3696.100.31)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/R4onqnV-WIlP-wuMQYkbg9FPZts>
Subject: Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 15:20:55 -0000

> On May 30, 2022, at 8:00 AM, Christian Huitema <huitema@huitema.net> wrote:
> 
> The bar against TCP injection attacks might be lower than you think. An attacker that sees the traffic can easily inject TCP packet with sequence number that fit in the flow control window and are ahead of what the actual sender produced. 


It might be useful to be more specific about the issue. Data injection attacks on TCP connections interfere with the IPsec stream in a similar way to IP or UDP fragment attacks on IP or UDP tunnels that use fragmentation. 

In all three cases, attackers can corrupt in-transit packets via IP packet attacks, which is not possible with an unfragmented IPsec message.

In all three cases, this happens when an injection can overwrite a portion of an IPsec message.

Data isn’t injected to the user, though.

Joe

v2.23.0 | Report a Bug | By Email