IETF Logo Mail Archive

Re: [IPsec] IKE fragmentation

Tero Kivinen <kivinen@iki.fi> Thu, 14 March 2013 15:09 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111C911E827C for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 08:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zv-Q5UFNL7Db for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 08:09:50 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id D774511E823E for <ipsec@ietf.org>; Thu, 14 Mar 2013 08:09:45 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r2EF8B9G015386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 14 Mar 2013 17:08:11 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r2EF8B1D018616; Thu, 14 Mar 2013 17:08:11 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20801.59355.157237.370109@fireball.kivinen.iki.fi>
Date: Thu, 14 Mar 2013 17:08:11 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <51408287.7080207@gmail.com> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <A5B456F7-DE58-4755-95B0-97D5D15D066C@checkpoint.com> <FCC464E01434424EB7EB4365E86F9130@buildpc> <FCFD00C2-2A6F-4D13-A98C-37BE16DD8A35@checkpoint.com> <20801.57047.617753.249763@fireball.kivinen.iki.fi> <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 3 min
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 15:09:59 -0000

Paul Wouters writes:
> Note that requires an observer that can see your cookies/spi.

Yes.

> Which would
> mean a local attacker, whom could just as easilly send you nonsense
> forged from the remote endpoint - as they are guaranteed to answer
> faster. You'd be decrypting thousands of packets to find the needle in
> the haystack. I wonder what the chances then are that you don't end up
> dropping teh valid fragment.

My PC has more than enough CPU power to verify MAC on the packets
coming in over the wireless link. On the other hand if attacker fills
the wireless link with junk packets, it is very easy to find him. If
attacker just sends on random packet every 2 seconds, it is much
harder to pinpoint who and where he is. 

The idea of DoS protection is to make the attack more expensive for
the attacker, and also make detecting him easier. Adding MAC to
fragments does both.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email