Re: [IPsec] IKE fragmentation
Tero Kivinen <kivinen@iki.fi> Thu, 14 March 2013 15:09 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111C911E827C for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 08:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zv-Q5UFNL7Db for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 08:09:50 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id D774511E823E for <ipsec@ietf.org>; Thu, 14 Mar 2013 08:09:45 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r2EF8B9G015386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 14 Mar 2013 17:08:11 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r2EF8B1D018616; Thu, 14 Mar 2013 17:08:11 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20801.59355.157237.370109@fireball.kivinen.iki.fi>
Date: Thu, 14 Mar 2013 17:08:11 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <51408287.7080207@gmail.com> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <A5B456F7-DE58-4755-95B0-97D5D15D066C@checkpoint.com> <FCC464E01434424EB7EB4365E86F9130@buildpc> <FCFD00C2-2A6F-4D13-A98C-37BE16DD8A35@checkpoint.com> <20801.57047.617753.249763@fireball.kivinen.iki.fi> <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 3 min
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 15:09:59 -0000
Paul Wouters writes: > Note that requires an observer that can see your cookies/spi. Yes. > Which would > mean a local attacker, whom could just as easilly send you nonsense > forged from the remote endpoint - as they are guaranteed to answer > faster. You'd be decrypting thousands of packets to find the needle in > the haystack. I wonder what the chances then are that you don't end up > dropping teh valid fragment. My PC has more than enough CPU power to verify MAC on the packets coming in over the wireless link. On the other hand if attacker fills the wireless link with junk packets, it is very easy to find him. If attacker just sends on random packet every 2 seconds, it is much harder to pinpoint who and where he is. The idea of DoS protection is to make the attack more expensive for the attacker, and also make detecting him easier. Adding MAC to fragments does both. -- kivinen@iki.fi
- [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Derek Atkins
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Paul Hoffman
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Yoav Nir
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Valery Smyslov
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul_Koning
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Brian Weis