Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways

"Moriarty, Kathleen" <> Tue, 11 November 2014 21:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AB0261A1B53 for <>; Tue, 11 Nov 2014 13:27:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.894
X-Spam-Status: No, score=-4.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HeTeDvNs66vo for <>; Tue, 11 Nov 2014 13:27:17 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6ED91A0020 for <>; Tue, 11 Nov 2014 13:27:16 -0800 (PST)
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sABLRABw007470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Nov 2014 16:27:11 -0500
X-DKIM: OpenDKIM Filter v2.4.3 sABLRABw007470
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=jan2013; t=1415741231; bh=w0wHMU7qBL3UjYHGMsUVbJzZ/Fw=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=SHLXW2yfv59zESOxd7kiQKAHSrbjgOMFZCszKYtlbcGRGdz1Z3GUpNvV6x3ce3Eo3 qP9h1wKc4+/4llMcSCmDwglszBfBoy9dheqoDyjIgRE035Krn3bKC3c/Ej4uq5Dr7f 6occxaHQm3pn2JmRRTO5deDA6tOgKCLWNkVilf9Q=
X-DKIM: OpenDKIM Filter v2.4.3 sABLRABw007470
Received: from ( []) by (RSA Interceptor); Tue, 11 Nov 2014 16:26:04 -0500
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sABLQt4J020467 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 11 Nov 2014 16:26:56 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.3.327.1; Tue, 11 Nov 2014 16:26:55 -0500
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Tue, 11 Nov 2014 16:26:55 -0500
From: "Moriarty, Kathleen" <>
To: Vincent Roca <>
Thread-Topic: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
Thread-Index: AQHP/SssbZIjXhpCOUON4Fb+N3k+xZxa0z+AgAAFjACAARlMoQ==
Date: Tue, 11 Nov 2014 21:26:54 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_A14F8096BB614D96AE48F3CEF790456Femccom_"
MIME-Version: 1.0
X-RSA-Classifications: DLM_1, public
Cc: "" <>, "" <>
Subject: Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 21:27:19 -0000

We can touch on this at the meeting.  There should be time, but I agree with Yoav.


Sent from my iPhone

On Nov 10, 2014, at 1:40 PM, "Vincent Roca" <<>> wrote:

Thanks Yoav. Yes, having this discussion on IPsec related mailing lists is needed, but I think SecDir
can also be appropriate if the problem applies to other tunneling techniques as well (which we didn’t test).
Honestly speaking, I’m trying to figure out how to proceed the best and advices like yours are welcome.


Le 10 nov. 2014 à 13:20, Yoav Nir <<>> a écrit :
Hi, Vincent.

Not at all opposed to bringing this up at SecDir lunch, but wouldn’t the IPsecME working group session and the ipsec mailing list be the more appropriate venue?

The SecDir is made up of people with (hopefully) enough knowledge about security to review an arbitrary draft and check that security has been considered and appropriate considerations documented.

The attack described in that paper is not even specifically related to IPsec. It could plague any tunneling mechanism such as L2TP, GRE, PPTP, IP-in-IP. Although this is an attack, it might be appropriate for the transport area.


On Nov 10, 2014, at 11:13 AM, Vincent Roca <<>> wrote:

Hi everybody,

There’s a subject I’d like to discuss with you tomorrow during our SecDir lunch if we have time for that.
It’s about a DoS on IPsec we have found with my previous PhD student, Ludovic. It’s described here:

« Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways », GLOBECOM’14.
PDF is freely available at:

The study has limits since it only focusses on IPv4 and a single OS (stable Squeeze Debian distribution).
That being said, we have an exploit using default IPsec configuration, either preventing end-hosts to open
new TCP connections (when relying on PMTUd) or creating large initial delay/performance penalties
(when relying on PLPMTUd). And UDP connexions will be affected too…
The only thing an attacker needs is to be on the IPsec tunnel path with the ability to eavesdrop encrypted
traffic and send back a forged packet (e.g., a non encrypted Wifi network should be sufficient, I see many
of them available at IETF ;-)

So we’d like to have your feedback in particular on the following two points:

- Is there an appropriate way to manage Path MTUs in presence of IPsec tunnels when we are already
at the minimum PMTU size?

- Is there an appropriate way to make the end-host (in the « red » protected LAN) and its IPsec gateway
understand each other when we are already at the minimum PMTU?

This is clearly a tricky situation that may not be well addressed today. Is it described somewhere in an RFC
so that implementers have clear guidelines? We didn’t find anything, but it does not mean there’s nothing.
And may the problem be extended to other tunneling technologies that perform encapsulation?

Your feedback is welcome.

  Ludovic and Vincent

   Vincent Roca, PhD/HDR, Inria research institute, France
secdir mailing list<>

secdir mailing list<>