Re: [IPsec] IKE fragmentation
Paul Wouters <paul@cypherpunks.ca> Thu, 14 March 2013 14:52 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7949411E819E for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 07:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OU9j6Nlakb4b for <ipsec@ietfa.amsl.com>; Thu, 14 Mar 2013 07:52:03 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id A92CA11E8158 for <ipsec@ietf.org>; Thu, 14 Mar 2013 07:52:02 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ZRXv433Whz3sq; Thu, 14 Mar 2013 10:52:00 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1aQQfWFfzbWr; Thu, 14 Mar 2013 10:51:59 -0400 (EDT)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by mx.nohats.ca (Postfix) with ESMTP; Thu, 14 Mar 2013 10:51:58 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 935F080860; Thu, 14 Mar 2013 10:51:58 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 882D48085F; Thu, 14 Mar 2013 10:51:58 -0400 (EDT)
Date: Thu, 14 Mar 2013 10:51:58 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <20801.57047.617753.249763@fireball.kivinen.iki.fi>
Message-ID: <alpine.LFD.2.03.1303141039430.17863@nohats.ca>
References: <20799.34490.611737.922474@fireball.kivinen.iki.fi> <294A12724CB849D2A33F7F80CC82426A@buildpc> <51408287.7080207@gmail.com> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <A5B456F7-DE58-4755-95B0-97D5D15D066C@checkpoint.com> <FCC464E01434424EB7EB4365E86F9130@buildpc> <FCFD00C2-2A6F-4D13-A98C-37BE16DD8A35@checkpoint.com> <20801.57047.617753.249763@fireball.kivinen.iki.fi>
User-Agent: Alpine 2.03 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] IKE fragmentation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 14:52:03 -0000
On Thu, 14 Mar 2013, Tero Kivinen wrote: > As earlier explained not doing that allows very wasy DoS attack, which > allows IKEv2 to finish by just sending very few packets, i.e. you send > one corrupted fragment to the packet and if you do that before > responder gets the correct fragment, the responder stores it for > reassembly and after it reassembles the packet it will only then > notice that the packet is corrupted, and then it needs to throw the > whole packet away. It cannot know which of the fragment is corrupted. > This means the initiator needs to retransmit whole packet, i.e. all > fragments of it, and attacker can do this again. Note that requires an observer that can see your cookies/spi. Which would mean a local attacker, whom could just as easilly send you nonsense forged from the remote endpoint - as they are guaranteed to answer faster. You'd be decrypting thousands of packets to find the needle in the haystack. I wonder what the chances then are that you don't end up dropping teh valid fragment. If the attacker is not local, they need to be in your path to know the spi/cookies, and they can just filter out the valid fragments. But I see your point, it does raise the bar a little bit. Although I'm not convinced it's worth it. Paul
- [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Derek Atkins
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Paul Hoffman
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Yoav Nir
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Valery Smyslov
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Yoav Nir
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Paul Wouters
- Re: [IPsec] IKE fragmentation Valery Smyslov
- Re: [IPsec] IKE fragmentation Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Paul_Koning
- Re: [IPsec] IKE fragmentation Yaron Sheffer
- [IPsec] Informal poll on IKEv2 { over TCP | fragm… Tero Kivinen
- Re: [IPsec] Informal poll on IKEv2 { over TCP | f… Brian Weis