Re: [IPsec] IKE fragmentation

Paul Wouters <> Wed, 13 March 2013 13:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 53E8521F8D07 for <>; Wed, 13 Mar 2013 06:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cMeaW9fqmoJW for <>; Wed, 13 Mar 2013 06:51:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8443D21F8CF7 for <>; Wed, 13 Mar 2013 06:51:19 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3ZQvbJ1WVqz147; Wed, 13 Mar 2013 09:51:08 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id EgFSzwYH8AqC; Wed, 13 Mar 2013 09:51:06 -0400 (EDT)
Received: from ( []) by (Postfix) with ESMTP; Wed, 13 Mar 2013 09:51:05 -0400 (EDT)
Received: by (Postfix, from userid 500) id 6946B80860; Wed, 13 Mar 2013 09:51:05 -0400 (EDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54986804F3; Wed, 13 Mar 2013 09:51:05 -0400 (EDT)
Date: Wed, 13 Mar 2013 09:51:05 -0400
From: Paul Wouters <>
To: Valery Smyslov <>
In-Reply-To: <294A12724CB849D2A33F7F80CC82426A@buildpc>
Message-ID: <>
References: <> <294A12724CB849D2A33F7F80CC82426A@buildpc>
User-Agent: Alpine 2.03 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc:, Tero Kivinen <>
Subject: Re: [IPsec] IKE fragmentation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Mar 2013 13:51:20 -0000

On Wed, 13 Mar 2013, Valery Smyslov wrote:

> As for IKEv2, I don't know how Cisco is doing fragmentation in this case
> (it seems to have support for it), but if it is done similarly to IKEv1,
> than I prefer our own solution - draft-smyslov-ipsecme-ikev2-fragmentation.
> The main difference is that in Microsoft/Cisco solution (for IKEv1)
> the whole encrypted ISAKMP message is fragmented,
> leaving each fragment unauthanticated untill message get reassembled
> and its authentity could be verivied. This opens door for
> a very simple DoS attack on receiver.

How is that a DOS attack? In our implementation of the IKEv1
fragmentation, we limit the number of fragments to 16. We will
only need to do any crypto when we received the IKE packet
marked as "last". Then we do crypto once on the assembled packet
and throw it away when crypto fails.

> In our proposal each fragment is encrypted and authenticated
> individually, that allows receiver to distinguish valid fragments
> from bogus, thus preventing from abovementioned DoS attack.

But I can send lots of small forged fragments and you will do lots
of crypto on them for _each_ forged fragment. I think you will end
up using a lot more cpu and the attacker needs a lot less bandwidth.

I actually do like the IKEv1 version. It's very simple. And uses
the exact same code path apart from a little buffer where we store
some fragments (with sane limits). The only oddness is that
fragmentation ID that serves no purpose, as you cannot really have
two different packets fragmented in flight for a single exchange.
(well you can, but they are going to be identical anyway)

While implementing the IKEv1 version, I did wonder about what should
trigger fragmentation. For instance, if both parties have send and
received the vendorid, and one side sends fragments, should the
other side fully indepedantly wait for failure/retransmit before
using fragments, or take the hint that if the path is broken one
way, it is likely broken in the other way as well? It seems that
being a little aggressive here can really help the IPsec SA to
establish much faster - especially since our own retransmit time
is 20 seconds, which is something we are now consideraing lowering
a lot.

Our implementation also does not handle the first packet of an
exchange to be fragmented, because we have no state to store the
fragments for. In practise this does not matter because the first
packet is never large enough to need fragmentation.