Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-fragmentation-03.txt
Tero Kivinen <kivinen@iki.fi> Wed, 09 October 2013 15:08 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2DE21F9D4C for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 08:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPvRvvcFFXpq for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 08:08:05 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 296F521F9D53 for <ipsec@ietf.org>; Wed, 9 Oct 2013 08:07:46 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id r99F7ddv027122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Oct 2013 18:07:39 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id r99F7cnC023687; Wed, 9 Oct 2013 18:07:38 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21077.28986.498227.592920@fireball.kivinen.iki.fi>
Date: Wed, 09 Oct 2013 18:07:38 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.10.1310090936090.5047@bofh.nohats.ca>
References: <20131004123552.12797.87073.idtracker@ietfa.amsl.com> <44D6A1836A274C98907D95D59E530FE6@buildpc> <524EC6D8.9040006@gmail.com> <8B0A76CCEF2F4C65A9101BBD717B5C0F@buildpc> <alpine.LFD.2.10.1310041144500.10965@bofh.nohats.ca> <E46CD124E88F442495758F38BC026897@chichi> <21077.17123.827427.858811@fireball.kivinen.iki.fi> <alpine.LFD.2.10.1310090936090.5047@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 4 min
X-Total-Time: 4 min
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-fragmentation-03.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 15:08:27 -0000
Paul Wouters writes: > On Wed, 9 Oct 2013, Tero Kivinen wrote: > > > For example the > > > > o Check message validity - in particular, check whether values of > > Fragment Number and Total Fragments in Encrypted Fragment Payload > > are valid. If not - message MUST be silently discarded. > > > > should be changed to say: > > > > o Check message validity - in particular, check whether values of > > Fragment Number (must be <= Total Fragments) and Total Fragments > > (must be >= previously seen Total Fragments for this message) in > > Encrypted Fragment Payload are valid. If not - message MUST be > > silently discarded. > > > > It should clearly say that if Total Fragments is less than previously > > seen then this fragment needs to be discarded. > > But you must only do that after the decryption/authentication of the > fragment or we are back at square one with an easy DoS this whole > mechanism was supposed to protect us from. We can drop the packets which have Total Fragments less than previously seen authenticated fragment. To drop packets in the queue, or update the total fragments value needs to be done only based on the authenticated packet, and the document already had those steps after ICV verification, so it already did that correctly. The document was just not really explaining what the message validity checks done in the first bullet point. -- kivinen@iki.fi
- [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-frag… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Yaron Sheffer
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-f… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Yaron Sheffer
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Tero Kivinen
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Paul Hoffman
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Mike Sullenberger (mls)
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Yoav Nir
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-… Mike Sullenberger (mls)
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-f… Valery Smyslov