Re: [IPsec] IKE fragmentation

Yoav Nir <> Thu, 14 March 2013 14:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 635F711E811F for <>; Thu, 14 Mar 2013 07:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.224
X-Spam-Status: No, score=-9.224 tagged_above=-999 required=5 tests=[AWL=1.375, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NBhf9j2LUFqO for <>; Thu, 14 Mar 2013 07:10:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 03D7B21F8CA2 for <>; Thu, 14 Mar 2013 07:10:47 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r2EEAfEs029651; Thu, 14 Mar 2013 16:10:41 +0200
X-CheckPoint: {5141D985-0-1B221DC2-2FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Thu, 14 Mar 2013 16:10:41 +0200
From: Yoav Nir <>
To: Valery Smyslov <>
Thread-Topic: [IPsec] IKE fragmentation
Thread-Index: AQHOH/P+dHmEPMd7P0SMbddmnpEj3pikJ5oAgAEK/gb//+digA==
Date: Thu, 14 Mar 2013 14:10:40 +0000
Message-ID: <>
References: <> <294A12724CB849D2A33F7F80CC82426A@buildpc> <> <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc> <> <FCC464E01434424EB7EB4365E86F9130@buildpc>
In-Reply-To: <FCC464E01434424EB7EB4365E86F9130@buildpc>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>, Tero Kivinen <>
Subject: Re: [IPsec] IKE fragmentation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Mar 2013 14:10:49 -0000

On Mar 14, 2013, at 9:38 AM, Valery Smyslov <> wrote:

> Hi Yoav.
>> > I agree that term "authenticated" is a bit misleading here.
>> > The better term would be "integrity protected".
>> > In our proposal receiver can be absolutely sure that
>> > each fragment comes from the very peer he/she exchanged
>> > DH exponents and calculated shared secret with.
>> >
>> > All fragments which ICV cannot be verified are discarded
>> > and don't prevent communication with real peer in any way.
>> So in order to get the responder to spend memory resources on storing the fragment, the initiator needs to expand
>> CPU resources on  completing the D-H calculation, and calculating integrity protection on the fragment. Makes sense.
> Sorry, did you read the draft?


> There is no DH calculating per fragment. DH is calculated once in IKE_SA_INIT
> as in ordinary IKE SA establishment (note, that unprotected messages, including IKE_SA_INIT
> and IKE_SA_RESUME cannot be fragmented).

If we do IKEv2 fragments the way everyone does IKEv1 fragments, the initiator can send multiple fragments that don't assemble to a protected packet, causing the responder to allocate memory to store these fragments (at least for a short while). Doing this does not require completing the D-H calculation, and does not require running either an encryption or MAC function.

What your draft does, is force the initiator to protect each fragment. To protect a fragment in a way that will cause the responder to store it, requires running the MAC function, and that in turn requires generating the keys (running the PRF), which in turn requires completing the D-H calculation. If the initiator fails to do any of these things, the fragment will be immediately rejected at the responder. Of course, the D-H calculation is not per-fragment, and I did not claim that this was the case.

> And you spent absolutetly the same amount of CPU power to calculate/verify ICV on
> fragments as you would spend it on non-fragmented message

You spend the same amount only if you require that your ICV verify. This is not needed for creating DoS on the way fragmentation is done in IKEv1.

> (probably a little bit more, as total length of all fragments of one message could
> be a bit more than the length of original message due to padding, IKE header and so on,
> but the usual difference is few percents).

Measurably more, because MAC functions have an initialization part, so running it on a single packet by parts incurs the per-run overhead multiple times. See the differences in the throughput of HMAC based on buffer size (obtained by running "opnessl speed":

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
hmac(md5)        17801.04k    53527.61k   132966.20k   210528.97k   253873.49k

So if the packet is 8000 bytes, and you divided it into 1024 fragments, you would incur a slightly more than 20% penalty.

> Let me emphasize again.
> 1. In our proposal sender and receiver spend roughly the same amount of CPU power
>   as they would spend on protecting/verifying non-fragmented message.
> 2. In our proposal sender and receiver spend roughly the same amount of CPU power
>   as they would spend on protecting/verifying fragmented message in Cisco/MS solution.
> 3. In our proposal sender needs to encrypt/protect one message twice only once
>   per SA establishments and only if he/she tries first to send unfragmented
>   message and after some retransmits decides to resend it fragmented.
>   This is avoidable if sender always sends large messages fragmented.
> 4. Comparing to Cisco/MS solution our proposal allows receiver to
>   verify integrity of individual fragment, so forged fragments will not
>   consume receiver's memory and could not prevent receiver
>   from getting valid fragments.
>> What do you get when you put together the fragments? a decrypted IKE message?  Just the list of payloads?
> After you decrypt and verify content of Encrypted Fragment Payload of all fragments,
> get rid of now unnecessary headers and put all together, you get a decrypted IKE message.