Re: [IPsec] IKE fragmentation

["Valery Smyslov" <svanru@gmail.com>]

Hi Paul,

>> As for IKEv2, I don't know how Cisco is doing fragmentation in this case
>> (it seems to have support for it), but if it is done similarly to IKEv1,
>> than I prefer our own solution - 
>> draft-smyslov-ipsecme-ikev2-fragmentation.
>> The main difference is that in Microsoft/Cisco solution (for IKEv1)
>> the whole encrypted ISAKMP message is fragmented,
>> leaving each fragment unauthanticated untill message get reassembled
>> and its authentity could be verivied. This opens door for
>> a very simple DoS attack on receiver.
>
> How is that a DOS attack? In our implementation of the IKEv1
> fragmentation, we limit the number of fragments to 16. We will
> only need to do any crypto when we received the IKE packet
> marked as "last". Then we do crypto once on the assembled packet
> and throw it away when crypto fails.

If attacker sends you a forged fragment, you cannot determine this
untill you get reassembled the whole message. When you determine
this you have to discard all received fragments (as you don't know
which of them is bogus) and wait for retransmission. For attacker
it is enough to send you forged fragments with rather low rate
to have a good chance to prevent you from communication with your peer.

I think this is kind of DoS attack as Initiator is denied to get desired 
service (IPsec).

>> In our proposal each fragment is encrypted and authenticated
>> individually, that allows receiver to distinguish valid fragments
>> from bogus, thus preventing from abovementioned DoS attack.
>
> But I can send lots of small forged fragments and you will do lots
> of crypto on them for _each_ forged fragment. I think you will end
> up using a lot more cpu and the attacker needs a lot less bandwidth.

ICV check is (must be) very fast, and you cannot avoid this attack
even without fragmentation - attacker can send you
forged regular messages and you will have to do ICV check
for each of them. I don't think fragmentation makes this worse.

> I actually do like the IKEv1 version. It's very simple. And uses
> the exact same code path apart from a little buffer where we store
> some fragments (with sane limits). The only oddness is that
> fragmentation ID that serves no purpose, as you cannot really have
> two different packets fragmented in flight for a single exchange.
> (well you can, but they are going to be identical anyway)
>
> While implementing the IKEv1 version, I did wonder about what should
> trigger fragmentation. For instance, if both parties have send and
> received the vendorid, and one side sends fragments, should the
> other side fully indepedantly wait for failure/retransmit before
> using fragments, or take the hint that if the path is broken one
> way, it is likely broken in the other way as well? It seems that
> being a little aggressive here can really help the IPsec SA to
> establish much faster - especially since our own retransmit time
> is 20 seconds, which is something we are now consideraing lowering
> a lot.

I think that responder should start replying with fragments
immediately after it receives first fragmented message from initiator,
but not before this event. It is initiator who is responsible
for retransmissions and it is his/her responsibility to
switch on fragmentation.

> Our implementation also does not handle the first packet of an
> exchange to be fragmented, because we have no state to store the
> fragments for. In practise this does not matter because the first
> packet is never large enough to need fragmentation.

We do the same.

> Paul

Regards,
Valery.