Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06

[Valery Smyslov <svan@elvis.ru>]

Hi Derek,

thank you for your review. Please see my comment inline.

----- Original Message ----- 
From: "Derek Atkins" <derek@ihtfp.com>
To: <iesg@ietf.org>; <secdir@ietf.org>
Cc: <ipsecme-chairs@tools.ietf.org>; <svan@elvis.ru>
Sent: Thursday, April 03, 2014 6:20 PM
Subject: sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06


> Hi,
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
>   This document describes the way to avoid IP fragmentation of large
>   IKEv2 messages.  This allows IKEv2 messages to traverse network
>   devices that don't allow IP fragments to pass through.
> 
> I see no major issues with this document.
> 
> There is still a minor issue where you move the exhaustion attack from
> the IP layer to the IKE layer -- an attacker could, theoretically,
> fill an IKE session with incomplete fragments causing it to use
> resources waiting for missing fragments.

Note, that in this proposal each IKE fragment is individually protected - 
encrypted and authenticated. Forged fragments will be detected
before they are placed into reassembling queue and thus they
couldn't exhaust receiver's resources - only fragments from real peer
will be taken into consideration. And if attacker is capable enough 
to drop an arbitrary IP packet, than there is no protection
anyway - the connection will fail on attacker's will in any case, 
with or without IKE fragmentation.

Regards,
Valery Smyslov.


> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant