Re: [IPsec] IKE fragmentation
"Valery Smyslov" <svanru@gmail.com> Thu, 14 March 2013 14:51 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF70711E81D0 for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 07:51:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.003
X-Spam-Level: ***
X-Spam-Status: No, score=3.003 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, DOS_OE_TO_MX=2.75, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmTCI0zOdbe1 for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 07:51:16 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 3014411E819E for <ipsec@ietf.org>; Thu, 14 Mar 2013 07:51:15 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id eb20so2585568lab.17 for <ipsec@ietf.org>; Thu, 14 Mar 2013 07:51:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:from:to:cc:references:subject:date :mime-version:content-type:content-transfer-encoding:x-priority :x-msmail-priority:x-mailer:x-mimeole; bh=ztS6cUSjinRkn8lP+zFAv4i7T1CvF94ukVGhCXdvC6Q=; b=gFxU8YbCEKhs2HURJKeQpxszN9pz8er/JXwzE2qQh1fO1s4iDw56fIR/PzypuVu5HP 2847Ke4EEqRtg+M59R/e6SC72wrcOi5V6A3PH534vkOqxyR9gyr8unMZfFTGW5+X3qCj sdmikoER8JYJC4lmEsYMgYvQtJx6a8sWWCVyskMZjG2XgeKT9CSTWNNvOxqS8dKlC2m/ XdhDwa9knh6PXIh4RoPOPmIz5FyWokL8T980OVUYMJ0GMEYl29tABupRrQD9y2dckMZk i29HWJEegWufwcd3e2u8SA+OAzeRzRw0PM9Qiple6N67Cg790gzTbZ2LH9LY0iGehNsB Q91g==
X-Received: by 10.152.125.239 with SMTP id mt15mr2477731lab.26.1363272674104; Thu, 14 Mar 2013 07:51:14 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPS id o11sm915399lbu.6.2013.03.14.07.51.12 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 14 Mar 2013 07:51:13 -0700 (PDT)
Message-ID: <8499A22E140C4EE3AAD3D79C4E304094@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <51408287.7080207@gmail.com> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <A5B456F7-DE58-4755-95B0-97D5D15D066C@checkpoint.com> <FCC464E01434424EB7EB4365E86F9130@buildpc> <FCFD00C2-2A6F-4D13-A98C-37BE16DD8A35@checkpoint.com>
Date: Thu, 14 Mar 2013 18:51:27 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 14:51:17 -0000
> > There is no DH calculating per fragment. DH is calculated once in > > IKE_SA_INIT > > as in ordinary IKE SA establishment (note, that unprotected messages, > > including IKE_SA_INIT > > and IKE_SA_RESUME cannot be fragmented). > > If we do IKEv2 fragments the way everyone does IKEv1 fragments, the > initiator can send multiple fragments that don't assemble to a > protected packet, causing the responder to allocate memory to store these > fragments (at least for a short while). Doing this does not > require completing the D-H calculation, and does not require running > either an encryption or MAC function. Yes, in our solution only protected messages could be fragmented. This is its limitation. But in IKEv2 all messages except for IKE_SA_INIT, IKE_SA_RESUME and some informational must be protected. > What your draft does, is force the initiator to protect each fragment. To > protect a fragment in a way that will cause the responder > to store it, requires running the MAC function, and that in turn requires > generating the keys (running the PRF), which in turn requires > completing the D-H calculation. If the initiator fails to do any of these > things, the fragment will be immediately rejected at the responder. Yes, but initiator needs to do it in any case. You cannot send protected message (fragmented or not) without calculating DH, SKEYSEED etc. > Of course, the D-H calculation is not per-fragment, and I did not claim > that this was the case. Sorry I didn't quite catch you. > > And you spent absolutetly the same amount of CPU power to > > calculate/verify ICV on > > fragments as you would spend it on non-fragmented message > > You spend the same amount only if you require that your ICV verify. This > is not needed for creating DoS on the way fragmentation > is done in IKEv1. ICV must be verified in any case - fragmented or non-fragmented. > > (probably a little bit more, as total length of all fragments of one > > message could > > be a bit more than the length of original message due to padding, IKE > > header and so on, > > but the usual difference is few percents). > > Measurably more, because MAC functions have an initialization part, so > running it on a single packet by parts incurs the per-run > overhead multiple times. See the differences in the throughput of HMAC > based on buffer size (obtained by running "opnessl speed": > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes > hmac(md5) 17801.04k 53527.61k 132966.20k 210528.97k > 253873.49k > > So if the packet is 8000 bytes, and you divided it into 1024 fragments, > you would incur a slightly more than 20% penalty. Yes, as I've said there is some penalty. It may differ depending on algorithm and implementation. I don't see a big problem here, as ICV computation must be fast anyway. Valery.
- [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Derek Atkins
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Paul Hoffman
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Yoav Nir
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Valery Smyslov
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul_Koning
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Brian Weis