Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06

Valery Smyslov <svan@elvis.ru> Thu, 03 April 2014 14:42 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92B11A01D7; Thu, 3 Apr 2014 07:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.301
X-Spam-Level:
X-Spam-Status: No, score=-97.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, STOX_REPLY_TYPE=0.439, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYKPVcMfMf-n; Thu, 3 Apr 2014 07:42:31 -0700 (PDT)
Received: from bull.elvis.ru (bull.elvis.ru [93.188.44.194]) by ietfa.amsl.com (Postfix) with ESMTP id DE4251A01C2; Thu, 3 Apr 2014 07:42:30 -0700 (PDT)
Received: from robin.office.elvis.ru ([10.111.1.40]) by bull.elvis.ru with esmtp (Exim 4.76) (envelope-from <svan@elvis.ru>) id 1WViqU-0003yX-4F; Thu, 03 Apr 2014 18:42:22 +0400
Received: from buildpc (10.111.10.31) by robin.office.elvis.ru (10.111.1.40) with Microsoft SMTP Server id 14.1.438.0; Thu, 3 Apr 2014 18:42:22 +0400
Message-ID: <B90F5487B44E4F5E9B0904B14FE94D90@buildpc>
From: Valery Smyslov <svan@elvis.ru>
To: Derek Atkins <derek@ihtfp.com>, <iesg@ietf.org>, <secdir@ietf.org>
References: <sjmzjk2ijfd.fsf@mocana.ihtfp.org>
Date: Thu, 3 Apr 2014 18:42:20 +0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/HESDQpBSpUdU2z_LkuLsUlDHMKA
X-Mailman-Approved-At: Thu, 03 Apr 2014 07:51:50 -0700
Cc: ipsecme-chairs@tools.ietf.org
Subject: Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 14:42:35 -0000

Hi Derek,

thank you for your review. Please see my comment inline.

----- Original Message ----- 
From: "Derek Atkins" <derek@ihtfp.com>
To: <iesg@ietf.org>rg>; <secdir@ietf.org>
Cc: <ipsecme-chairs@tools.ietf.org>rg>; <svan@elvis.ru>
Sent: Thursday, April 03, 2014 6:20 PM
Subject: sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06


> Hi,
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
>   This document describes the way to avoid IP fragmentation of large
>   IKEv2 messages.  This allows IKEv2 messages to traverse network
>   devices that don't allow IP fragments to pass through.
> 
> I see no major issues with this document.
> 
> There is still a minor issue where you move the exhaustion attack from
> the IP layer to the IKE layer -- an attacker could, theoretically,
> fill an IKE session with incomplete fragments causing it to use
> resources waiting for missing fragments.

Note, that in this proposal each IKE fragment is individually protected - 
encrypted and authenticated. Forged fragments will be detected
before they are placed into reassembling queue and thus they
couldn't exhaust receiver's resources - only fragments from real peer
will be taken into consideration. And if attacker is capable enough 
to drop an arbitrary IP packet, than there is no protection
anyway - the connection will fail on attacker's will in any case, 
with or without IKE fragmentation.

Regards,
Valery Smyslov.


> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant