IKE negotiation for fragmentation controls in IPsec

[Stephen Kent <kent@bbn.com>]

A few folks have observed that the current processing requirements 
for AH and ESP mandate ciphertext (post IPsec encapsulation) 
fragmentation and that this poses DoS vulnerabilities for receivers. 
(An attacker can create what appear to be legitimate, non-initial 
fragments and cause reassembly problems for the receiver).

As we revise 2401, we may choose to allow (or even recommend) 
plaintext (pre-IPsec encapsulation) fragmentation. If so, we need to 
be able to negotiate use of this capability on a per-SA basis, and to 
notify the receiver that NO ciphertext fragments should be accepted 
for this SA, because none will be sent by this transmitter. So, I 
suggest that we add a paylod to IKE to allow an initiator to indicate 
the intent to never send ciphertext fragments. The responder can take 
advantage of this info to better protect itself, or it can ignore the 
info, but it needs to be told to be able to take advantage of the 
capability. I would also like to see the responder be able to notify 
the initiator of its intent re the companion (reverse) SA, if 
appropriate.

A logical (but admittedly separable) companion to this feature is to 
allow the initiator to request the responder to accept fragments on 
an SA where port fields are used as selectors. The issue here is that 
a host may send fragments to an IPsec device that requires port field 
examination for the SA to which the fragments will be mapped. It 
seems reasonably safe to allow fragments (with a suitable, minimum 
offset) to pass through such as SA, with only the initial fragment 
having the port fields examined. This is a separate negotiation 
because the fragments arise from hosts behind the IPsec device, but 
it is related, because if one fragments at the sending IPsec device, 
it would be nice to be able to use this feature to allow the receiver 
to pass on fragments, not reassemble them (in the case of a SG).


Steve