Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Tue, 11 November 2014 21:27 UTC
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0261A1B53 for <secdir@ietfa.amsl.com>; Tue, 11 Nov 2014 13:27:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.894
X-Spam-Level:
X-Spam-Status: No, score=-4.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HeTeDvNs66vo for <secdir@ietfa.amsl.com>; Tue, 11 Nov 2014 13:27:17 -0800 (PST)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6ED91A0020 for <secdir@ietf.org>; Tue, 11 Nov 2014 13:27:16 -0800 (PST)
Received: from maildlpprd02.lss.emc.com (maildlpprd02.lss.emc.com [10.253.24.34]) by mailuogwprd03.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sABLRABw007470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Nov 2014 16:27:11 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com sABLRABw007470
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1415741231; bh=w0wHMU7qBL3UjYHGMsUVbJzZ/Fw=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=SHLXW2yfv59zESOxd7kiQKAHSrbjgOMFZCszKYtlbcGRGdz1Z3GUpNvV6x3ce3Eo3 qP9h1wKc4+/4llMcSCmDwglszBfBoy9dheqoDyjIgRE035Krn3bKC3c/Ej4uq5Dr7f 6occxaHQm3pn2JmRRTO5deDA6tOgKCLWNkVilf9Q=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com sABLRABw007470
Received: from mailusrhubprd51.lss.emc.com (mailusrhubprd51.lss.emc.com [10.106.48.24]) by maildlpprd02.lss.emc.com (RSA Interceptor); Tue, 11 Nov 2014 16:26:04 -0500
Received: from mxhub30.corp.emc.com (mxhub30.corp.emc.com [128.222.70.170]) by mailusrhubprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sABLQt4J020467 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 11 Nov 2014 16:26:56 -0500
Received: from MXHUB108.corp.emc.com (10.253.58.24) by mxhub30.corp.emc.com (128.222.70.170) with Microsoft SMTP Server (TLS) id 8.3.327.1; Tue, 11 Nov 2014 16:26:55 -0500
Received: from MX103CL02.corp.emc.com ([169.254.6.33]) by MXHUB108.corp.emc.com ([10.253.58.24]) with mapi id 14.03.0195.001; Tue, 11 Nov 2014 16:26:55 -0500
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: Vincent Roca <vincent.roca@inria.fr>
Thread-Topic: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
Thread-Index: AQHP/SssbZIjXhpCOUON4Fb+N3k+xZxa0z+AgAAFjACAARlMoQ==
Date: Tue, 11 Nov 2014 21:26:54 +0000
Message-ID: <A14F8096-BB61-4D96-AE48-F3CEF790456F@emc.com>
References: <38936223-5F53-4EC4-AA7B-15AF5F7F7AF6@inria.fr> <85C3C2D1-7185-48CD-91A9-5D89B75101BF@gmail.com>, <428B3579-AB82-49D3-A854-293ECBA8FEDD@inria.fr>
In-Reply-To: <428B3579-AB82-49D3-A854-293ECBA8FEDD@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_A14F8096BB614D96AE48F3CEF790456Femccom_"
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd51.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/DsQBXp0SrYI1Yyu2tVmv-ixEQS0
Cc: "ludovic.jacquin@hp.com" <ludovic.jacquin@hp.com>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 21:27:19 -0000
We can touch on this at the meeting. There should be time, but I agree with Yoav. Thanks, Kathleen Sent from my iPhone On Nov 10, 2014, at 1:40 PM, "Vincent Roca" <vincent.roca@inria.fr<mailto:vincent.roca@inria.fr>> wrote: Thanks Yoav. Yes, having this discussion on IPsec related mailing lists is needed, but I think SecDir can also be appropriate if the problem applies to other tunneling techniques as well (which we didn’t test). Honestly speaking, I’m trying to figure out how to proceed the best and advices like yours are welcome. Cheers, Vincent Le 10 nov. 2014 à 13:20, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> a écrit : Hi, Vincent. Not at all opposed to bringing this up at SecDir lunch, but wouldn’t the IPsecME working group session and the ipsec mailing list be the more appropriate venue? The SecDir is made up of people with (hopefully) enough knowledge about security to review an arbitrary draft and check that security has been considered and appropriate considerations documented. The attack described in that paper is not even specifically related to IPsec. It could plague any tunneling mechanism such as L2TP, GRE, PPTP, IP-in-IP. Although this is an attack, it might be appropriate for the transport area. Yoav On Nov 10, 2014, at 11:13 AM, Vincent Roca <vincent.roca@inria.fr<mailto:vincent.roca@inria.fr>> wrote: Hi everybody, There’s a subject I’d like to discuss with you tomorrow during our SecDir lunch if we have time for that. It’s about a DoS on IPsec we have found with my previous PhD student, Ludovic. It’s described here: « Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways », GLOBECOM’14. PDF is freely available at: https://hal.inria.fr/hal-01052994/en/ The study has limits since it only focusses on IPv4 and a single OS (stable Squeeze Debian distribution). That being said, we have an exploit using default IPsec configuration, either preventing end-hosts to open new TCP connections (when relying on PMTUd) or creating large initial delay/performance penalties (when relying on PLPMTUd). And UDP connexions will be affected too… The only thing an attacker needs is to be on the IPsec tunnel path with the ability to eavesdrop encrypted traffic and send back a forged packet (e.g., a non encrypted Wifi network should be sufficient, I see many of them available at IETF ;-) So we’d like to have your feedback in particular on the following two points: - Is there an appropriate way to manage Path MTUs in presence of IPsec tunnels when we are already at the minimum PMTU size? - Is there an appropriate way to make the end-host (in the « red » protected LAN) and its IPsec gateway understand each other when we are already at the minimum PMTU? This is clearly a tricky situation that may not be well addressed today. Is it described somewhere in an RFC so that implementers have clear guidelines? We didn’t find anything, but it does not mean there’s nothing. And may the problem be extended to other tunneling technologies that perform encapsulation? Your feedback is welcome. Thanks, Ludovic and Vincent -- Vincent Roca, PhD/HDR, Inria research institute, France http://privatics.inrialpes.fr/~roca _______________________________________________ secdir mailing list secdir@ietf.org<mailto:secdir@ietf.org> https://www.ietf.org/mailman/listinfo/secdir wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview _______________________________________________ secdir mailing list secdir@ietf.org<mailto:secdir@ietf.org> https://www.ietf.org/mailman/listinfo/secdir wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Topic for our SecDir lunch: The PTB-PTS … Vincent Roca
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Yoav Nir
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Vincent Roca
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Moriarty, Kathleen