Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06

Valery Smyslov <> Thu, 03 April 2014 15:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F0EC31A024E; Thu, 3 Apr 2014 08:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -97.301
X-Spam-Status: No, score=-97.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, STOX_REPLY_TYPE=0.439, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c8vk2lLztqXq; Thu, 3 Apr 2014 08:18:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8EFEE1A0226; Thu, 3 Apr 2014 08:18:55 -0700 (PDT)
Received: from [] ( by with esmtp (Exim 4.76) (envelope-from <>) id 1WVjPk-0006Hz-2U; Thu, 03 Apr 2014 19:18:48 +0400
Received: from buildpc ( by ( with Microsoft SMTP Server id 14.1.438.0; Thu, 3 Apr 2014 19:18:48 +0400
Message-ID: <038E8235A7E047809B765B35F995772A@buildpc>
From: Valery Smyslov <>
To: Derek Atkins <>
References: <> <B90F5487B44E4F5E9B0904B14FE94D90@buildpc> <>
Date: Thu, 03 Apr 2014 19:18:46 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Apr 2014 15:19:01 -0000


>> Note, that in this proposal each IKE fragment is individually protected -
>> encrypted and authenticated. Forged fragments will be detected
>> before they are placed into reassembling queue and thus they
>> couldn't exhaust receiver's resources - only fragments from real peer
>> will be taken into consideration. And if attacker is capable enough
>> to drop an arbitrary IP packet, than there is no protection
>> anyway - the connection will fail on attacker's will in any case,
>> with or without IKE fragmentation.
> It's only authenticated in the sense that you have to have already had a
> full round trip so yes, an attacker can not forge their source IP.  But

No, it is fully cryptographically authenticated. IKE fragmentation
may only take place after shared keys (SK_*) keys are computed.

> that doesn't prevent a true DDoS where real hosts (think botnet) all
> perform a real IKE_SA_INIT and then use their sessions to build a lot of
> held state with "fake" fragments that will never complete.

Messages of IKE_SA_INIT cannot be fragmented with this proposal,
because SK_* are not yet computed. This is limitation, mentioned in the 
It is assumed that IKE_SA_INIT messages can
be made relatively small to avoid IP fragmentation.

> Like I said, it's an improvement because it's not at the kernel IP layer,
> and theoretically there are more resources available at the IKE layer.
> But it probably should still be mentioned.  (Not that IKE without
> fragmentation isn't also subject to this kind of DDoS attack).

As I've said, IKE_SA_INIT are beyond this proposal
(and IKE_SA_RESUME also, if we count in IKE session resumption
protocol). But messages of the other exchanges can be
fragmented with full cryptographic protection, including
authentication of each fragment, and I don't think this attack is possible
here (and it was one of the goals to prevent this kind of attack).


> Thanks,
>> Regards,
>> Valery Smyslov.
> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       Computer and Internet Security Consultant