Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways

Vincent Roca <> Mon, 10 November 2014 23:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D09891AD087 for <>; Mon, 10 Nov 2014 15:40:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D4SZP9w2blER for <>; Mon, 10 Nov 2014 15:40:26 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A8FF1AD084 for <>; Mon, 10 Nov 2014 15:40:10 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.07,355,1413237600"; d="scan'208,217";a="106040898"
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 11 Nov 2014 00:40:06 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_9526ACEC-DC42-4691-9081-38EE78475CDB"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Vincent Roca <>
In-Reply-To: <>
Date: Mon, 10 Nov 2014 13:40:06 -1000
Message-Id: <>
References: <> <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1878.6)
Subject: Re: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 23:40:30 -0000

Thanks Yoav. Yes, having this discussion on IPsec related mailing lists is needed, but I think SecDir
can also be appropriate if the problem applies to other tunneling techniques as well (which we didn’t test).
Honestly speaking, I’m trying to figure out how to proceed the best and advices like yours are welcome.


Le 10 nov. 2014 à 13:20, Yoav Nir <> a écrit :
> Hi, Vincent.
> Not at all opposed to bringing this up at SecDir lunch, but wouldn’t the IPsecME working group session and the ipsec mailing list be the more appropriate venue?
> The SecDir is made up of people with (hopefully) enough knowledge about security to review an arbitrary draft and check that security has been considered and appropriate considerations documented. 
> The attack described in that paper is not even specifically related to IPsec. It could plague any tunneling mechanism such as L2TP, GRE, PPTP, IP-in-IP. Although this is an attack, it might be appropriate for the transport area.
> Yoav
>> On Nov 10, 2014, at 11:13 AM, Vincent Roca <> wrote:
>> Hi everybody,
>> There’s a subject I’d like to discuss with you tomorrow during our SecDir lunch if we have time for that.
>> It’s about a DoS on IPsec we have found with my previous PhD student, Ludovic. It’s described here:
>> 	« Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways », GLOBECOM’14.
>> 	PDF is freely available at:
>> The study has limits since it only focusses on IPv4 and a single OS (stable Squeeze Debian distribution).
>> That being said, we have an exploit using default IPsec configuration, either preventing end-hosts to open
>> new TCP connections (when relying on PMTUd) or creating large initial delay/performance penalties
>> (when relying on PLPMTUd). And UDP connexions will be affected too…
>> The only thing an attacker needs is to be on the IPsec tunnel path with the ability to eavesdrop encrypted
>> traffic and send back a forged packet (e.g., a non encrypted Wifi network should be sufficient, I see many
>> of them available at IETF ;-)
>> So we’d like to have your feedback in particular on the following two points:
>> - Is there an appropriate way to manage Path MTUs in presence of IPsec tunnels when we are already
>> at the minimum PMTU size?
>> - Is there an appropriate way to make the end-host (in the « red » protected LAN) and its IPsec gateway
>> understand each other when we are already at the minimum PMTU?
>> This is clearly a tricky situation that may not be well addressed today. Is it described somewhere in an RFC
>> so that implementers have clear guidelines? We didn’t find anything, but it does not mean there’s nothing.
>> And may the problem be extended to other tunneling technologies that perform encapsulation?
>> Your feedback is welcome.
>> Thanks,
>>   Ludovic and Vincent
>> --
>>    Vincent Roca, PhD/HDR, Inria research institute, France
>> _______________________________________________
>> secdir mailing list
>> wiki: