Re: [IPsec] IKE fragmentation

"Valery Smyslov" <> Wed, 13 March 2013 13:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E84E21F8D35 for <>; Wed, 13 Mar 2013 06:22:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.703
X-Spam-Level: *
X-Spam-Status: No, score=1.703 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DOS_OE_TO_MX=2.75, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, STOX_REPLY_TYPE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LfCmCHTtyr+C for <>; Wed, 13 Mar 2013 06:22:23 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::22c]) by (Postfix) with ESMTP id 53ADC21F8A43 for <>; Wed, 13 Mar 2013 06:22:23 -0700 (PDT)
Received: by with SMTP id eb20so1107978lab.3 for <>; Wed, 13 Mar 2013 06:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:x-mimeole; bh=83gy9oI+exNmCpdpbUNPyJzfMa22I+F7RuzN2UVIU14=; b=s3zGdFo88FIr9jigcclo3jXi2Hk76sYM1ymhOWKC9vYXvwAeUy/NzpbKlRdq9ZrLXk LXGgdzs7S6zxv0HwX1qaVp1yP3vGpwcgoPEQjSkso0+HTB2Oy2FpNaQKECTIO12pa6As Ci/OqRYwmrTc6ip4jOZiXoV1VgiFQ7B7/TQpY5qgXzBtl7Mnrw04j8KTz1+ye/h+gOEb qlM9sybbDkKNN0VMbpaMX/CE3v0/HbJADjzX4wYMCbXaaGmdovfQxfDnajM9ErKgyOTg Jv6YAgz4lxV5fPQVFSkjn8UzZSxepJfjehOAHbvKqEV/x9YcYo/ExxoxXL4/bczpqYSM bNqQ==
X-Received: by with SMTP id v3mr17550371lam.57.1363180942289; Wed, 13 Mar 2013 06:22:22 -0700 (PDT)
Received: from buildpc ([]) by with ESMTPS id o11sm1328202lbu.6.2013. (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 13 Mar 2013 06:22:21 -0700 (PDT)
Message-ID: <294A12724CB849D2A33F7F80CC82426A@buildpc>
From: Valery Smyslov <>
To: Tero Kivinen <>,
References: <>
Date: Wed, 13 Mar 2013 17:22:31 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] IKE fragmentation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Mar 2013 13:22:24 -0000


> Anyways, if there is already more implementations doing IKE
> framentation, it might be good idea to think whether we should
> standardize that. On the other hand I am not sure if they are well
> enough documented so that different implementations actually talk each
> other...

We support IKEv1 fragmentation based on documentation found at
We are able to interoperate with both Microsoft and Cisco.

> Anyways we should most likely act fastly if we want to get this fixed
> for IKEv2.

As for IKEv2, I don't know how Cisco is doing fragmentation in this case
(it seems to have support for it), but if it is done similarly to IKEv1,
than I prefer our own solution - draft-smyslov-ipsecme-ikev2-fragmentation.
The main difference is that in Microsoft/Cisco solution (for IKEv1)
the whole encrypted ISAKMP message is fragmented,
leaving each fragment unauthanticated untill message get reassembled
and its authentity could be verivied. This opens door for
a very simple DoS attack on receiver.

In our proposal each fragment is encrypted and authenticated
individually, that allows receiver to distinguish valid fragments
from bogus, thus preventing from abovementioned DoS attack.

And, of course, we have implemented this solution in our products.

And, of course, we are intersted in doing IKEv2 fragmentation
in standard, interoperable way (based either on our proposal or
smth else).

Valery Smyslov.

> -- 
> _______________________________________________
> IPsec mailing list