Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
Yoav Nir <ynir.ietf@gmail.com> Mon, 10 November 2014 23:20 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B54A1ACFFD for <secdir@ietfa.amsl.com>; Mon, 10 Nov 2014 15:20:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63tGlMdF8ZcL for <secdir@ietfa.amsl.com>; Mon, 10 Nov 2014 15:20:28 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E291D1ACFF8 for <secdir@ietf.org>; Mon, 10 Nov 2014 15:20:22 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id d1so16175wiv.1 for <secdir@ietf.org>; Mon, 10 Nov 2014 15:20:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lIWqDHJfDr+pplfM+HpeII/WSx3qbVpvCQxkq6blCDs=; b=OnmcM4ldZT5HEWnZIwhMyGgdS9T94sv8CgfETqz3osFLmTXo0N15aQNhitwF0uW250 yQiXrKtiQoFfPZYfOO5UlVmJ1bVP9P8yHWhnXWaEXguzZ3QJbvckf7G2c6TbXlQNS0dv 8FRfUAfCo+L5OeXli/sgtx5xznk84dVAiAhH4zkPA6OmHdFcGJiv3pv/3lL9Q+Azs8ta 4h3RGoZ68o6DBvLlsYt+4GQCIFqe4oiTnYqGO/ra5pgF+KMdgxyI+gPJ4zfhXKhsxFoS dAL+8xI6XmDG9QtRzxa0JYgwBYwxX3WmAaw1o4gsUSBam3uhHSf/jAKGRqpX4IzjV/hI m0zg==
X-Received: by 10.194.48.82 with SMTP id j18mr37245986wjn.107.1415661621688; Mon, 10 Nov 2014 15:20:21 -0800 (PST)
Received: from t2001067c037001600cf03b83a58d8bd7.wireless.v6.meeting.ietf.org ([2001:67c:370:160:cf0:3b83:a58d:8bd7]) by mx.google.com with ESMTPSA id ex2sm15165265wib.19.2014.11.10.15.20.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Nov 2014 15:20:21 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DD73F084-7D80-4CB1-8ADF-B4340D007292"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <38936223-5F53-4EC4-AA7B-15AF5F7F7AF6@inria.fr>
Date: Mon, 10 Nov 2014 13:20:15 -1000
Message-Id: <85C3C2D1-7185-48CD-91A9-5D89B75101BF@gmail.com>
References: <38936223-5F53-4EC4-AA7B-15AF5F7F7AF6@inria.fr>
To: Vincent Roca <vincent.roca@inria.fr>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Ge8gpLtoV-BtMHEmENvicEaaV9M
Cc: ludovic.jacquin@hp.com, secdir@ietf.org
Subject: Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 23:20:38 -0000
Hi, Vincent. Not at all opposed to bringing this up at SecDir lunch, but wouldn’t the IPsecME working group session and the ipsec mailing list be the more appropriate venue? The SecDir is made up of people with (hopefully) enough knowledge about security to review an arbitrary draft and check that security has been considered and appropriate considerations documented. The attack described in that paper is not even specifically related to IPsec. It could plague any tunneling mechanism such as L2TP, GRE, PPTP, IP-in-IP. Although this is an attack, it might be appropriate for the transport area. Yoav > On Nov 10, 2014, at 11:13 AM, Vincent Roca <vincent.roca@inria.fr> wrote: > > Hi everybody, > > There’s a subject I’d like to discuss with you tomorrow during our SecDir lunch if we have time for that. > It’s about a DoS on IPsec we have found with my previous PhD student, Ludovic. It’s described here: > > « Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways », GLOBECOM’14. > PDF is freely available at: https://hal.inria.fr/hal-01052994/en/ <https://hal.inria.fr/hal-01052994/en/> > > The study has limits since it only focusses on IPv4 and a single OS (stable Squeeze Debian distribution). > That being said, we have an exploit using default IPsec configuration, either preventing end-hosts to open > new TCP connections (when relying on PMTUd) or creating large initial delay/performance penalties > (when relying on PLPMTUd). And UDP connexions will be affected too… > The only thing an attacker needs is to be on the IPsec tunnel path with the ability to eavesdrop encrypted > traffic and send back a forged packet (e.g., a non encrypted Wifi network should be sufficient, I see many > of them available at IETF ;-) > > So we’d like to have your feedback in particular on the following two points: > > - Is there an appropriate way to manage Path MTUs in presence of IPsec tunnels when we are already > at the minimum PMTU size? > > - Is there an appropriate way to make the end-host (in the « red » protected LAN) and its IPsec gateway > understand each other when we are already at the minimum PMTU? > > This is clearly a tricky situation that may not be well addressed today. Is it described somewhere in an RFC > so that implementers have clear guidelines? We didn’t find anything, but it does not mean there’s nothing. > And may the problem be extended to other tunneling technologies that perform encapsulation? > > Your feedback is welcome. > Thanks, > > Ludovic and Vincent > > -- > Vincent Roca, PhD/HDR, Inria research institute, France > http://privatics.inrialpes.fr/~roca <http://privatics.inrialpes.fr/~roca>_______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Topic for our SecDir lunch: The PTB-PTS … Vincent Roca
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Yoav Nir
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Vincent Roca
- Re: [secdir] Topic for our SecDir lunch: The PTB-… Moriarty, Kathleen