Re: [IPsec] IKE fragmentation

"Valery Smyslov" <> Wed, 13 March 2013 14:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0B60121F8D1B for <>; Wed, 13 Mar 2013 07:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.702
X-Spam-Level: *
X-Spam-Status: No, score=1.702 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DOS_OE_TO_MX=2.75, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T-NKxqzZ+qjE for <>; Wed, 13 Mar 2013 07:06:36 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::22c]) by (Postfix) with ESMTP id 3640D21F8D42 for <>; Wed, 13 Mar 2013 07:06:35 -0700 (PDT)
Received: by with SMTP id eb20so1170690lab.3 for <>; Wed, 13 Mar 2013 07:06:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:message-id:from:to:cc:references:subject:date :mime-version:content-type:content-transfer-encoding:x-priority :x-msmail-priority:x-mailer:x-mimeole; bh=5LDQq7LMkhqaWiZ8hAjhNVYQRXjafbxF1S4xRxmeB8g=; b=xP/tZdfoBqVlcnY3Jd4hnZfLRzJvwQNOGkHPGUELUtn0pLP/SGXxpYrb9NLSUs9ICo qlC9qu8MqJTg+92Er6k0PBISfIUaXKspc22P9XPL4F2uk4dcjBVgWmh4pClk8N0eRqML Atd/oyI4sLhOhthEnzekWyeflixHGOsMy+IaUDFPjW31LDY0ZYVHkycLj3U+DFIDkw+L e8sm+QuhfEWHuOvwr8WaZSqkZylU/giV4usl51GIy6h/IpztfwlBKZpr+gzvEHQESZc8 XlqBh67RMfOVj/zvN4fuisb7aWzgFSjpX/Yk8UdC+cJ9J6Uj3/4shN7xFWQDNVkHb9ua +dSw==
X-Received: by with SMTP id r12mr17744775lam.15.1363183593118; Wed, 13 Mar 2013 07:06:33 -0700 (PDT)
Received: from buildpc ([]) by with ESMTPS id pk1sm11364281lab.0.2013. (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 13 Mar 2013 07:06:32 -0700 (PDT)
Message-ID: <3028CF35E60A40068CE70EB7BB0BDEF1@buildpc>
From: Valery Smyslov <>
To: Yaron Sheffer <>
References: <> <294A12724CB849D2A33F7F80CC82426A@buildpc> <>
Date: Wed, 13 Mar 2013 18:06:45 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="windows-1255"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Cc:, Tero Kivinen <>
Subject: Re: [IPsec] IKE fragmentation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Mar 2013 14:06:37 -0000

Hi Yaron,

> I believe the DoS argument is incorrect, because the message we are most 
> worried about (most likely to get fragmented) is IKE_AUTH, and at this 
> point both peers are not yet authenticated, of course. So fragments and 
> messages can be encrypted but cannot be authenticated. Thus, an attacker 
> can send any number of seemingly valid fragments.
> Let me know if I'm missing anything.

I agree that term "authenticated" is a bit misleading here.
The better term would be "integrity protected".
In our proposal receiver can be absolutely sure that
each fragment comes from the very peer he/she exchanged
DH exponents and calculated shared secret with.

All fragments which ICV cannot be verified are discarded
and don't prevent communication with real peer in any way.

Hope this helps.


> Thanks,
> Yaron
> On 03/13/2013 03:22 PM, Valery Smyslov wrote:
>> Hi,
>>> Anyways, if there is already more implementations doing IKE
>>> framentation, it might be good idea to think whether we should
>>> standardize that. On the other hand I am not sure if they are well
>>> enough documented so that different implementations actually talk each
>>> other...
>> We support IKEv1 fragmentation based on documentation found at
>> We are able to interoperate with both Microsoft and Cisco.
>>> Anyways we should most likely act fastly if we want to get this fixed
>>> for IKEv2.
>> As for IKEv2, I don't know how Cisco is doing fragmentation in this case
>> (it seems to have support for it), but if it is done similarly to IKEv1,
>> than I prefer our own solution - 
>> draft-smyslov-ipsecme-ikev2-fragmentation.
>> The main difference is that in Microsoft/Cisco solution (for IKEv1)
>> the whole encrypted ISAKMP message is fragmented,
>> leaving each fragment unauthanticated untill message get reassembled
>> and its authentity could be verivied. This opens door for
>> a very simple DoS attack on receiver.
>> In our proposal each fragment is encrypted and authenticated
>> individually, that allows receiver to distinguish valid fragments
>> from bogus, thus preventing from abovementioned DoS attack.
>> And, of course, we have implemented this solution in our products.
>> And, of course, we are intersted in doing IKEv2 fragmentation
>> in standard, interoperable way (based either on our proposal or
>> smth else).
>> Regards,
>> Valery Smyslov.
>>> --
>>> _______________________________________________
>>> IPsec mailing list
>> _______________________________________________
>> IPsec mailing list