[secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways

Vincent Roca <vincent.roca@inria.fr> Mon, 10 November 2014 21:13 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 70C241ACD60 for <secdir@ietfa.amsl.com>; Mon, 10 Nov 2014 13:13:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qOFLGtOjLggt for <secdir@ietfa.amsl.com>; Mon, 10 Nov 2014 13:13:04 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 259AE1A1A2A for <secdir@ietf.org>; Mon, 10 Nov 2014 13:13:03 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.07,355,1413237600"; d="scan'208,217";a="106027596"
Received: from ral033r.vpn.inria.fr ([]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 10 Nov 2014 22:13:00 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E8C6436B-2085-45A9-B4A7-DCF27BEE4829"
Date: Mon, 10 Nov 2014 11:13:01 -1000
Message-Id: <38936223-5F53-4EC4-AA7B-15AF5F7F7AF6@inria.fr>
To: secdir@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/o3QIPozjrWK8GeW_wXRTzLoRE7Q
Cc: ludovic.jacquin@hp.com
Subject: [secdir] Topic for our SecDir lunch: The PTB-PTS ICMP-based Attack against IPsec Gateways
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 21:13:08 -0000

Hi everybody,

There’s a subject I’d like to discuss with you tomorrow during our SecDir lunch if we have time for that.
It’s about a DoS on IPsec we have found with my previous PhD student, Ludovic. It’s described here:

	« Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways », GLOBECOM’14.
	PDF is freely available at:	https://hal.inria.fr/hal-01052994/en/

The study has limits since it only focusses on IPv4 and a single OS (stable Squeeze Debian distribution).
That being said, we have an exploit using default IPsec configuration, either preventing end-hosts to open
new TCP connections (when relying on PMTUd) or creating large initial delay/performance penalties
(when relying on PLPMTUd). And UDP connexions will be affected too…
The only thing an attacker needs is to be on the IPsec tunnel path with the ability to eavesdrop encrypted
traffic and send back a forged packet (e.g., a non encrypted Wifi network should be sufficient, I see many
of them available at IETF ;-)

So we’d like to have your feedback in particular on the following two points:

- Is there an appropriate way to manage Path MTUs in presence of IPsec tunnels when we are already
at the minimum PMTU size?

- Is there an appropriate way to make the end-host (in the « red » protected LAN) and its IPsec gateway
understand each other when we are already at the minimum PMTU?

This is clearly a tricky situation that may not be well addressed today. Is it described somewhere in an RFC
so that implementers have clear guidelines? We didn’t find anything, but it does not mean there’s nothing.
And may the problem be extended to other tunneling technologies that perform encapsulation?

Your feedback is welcome.

  Ludovic and Vincent

   Vincent Roca, PhD/HDR, Inria research institute, France