Re: IKE negotiation for fragmentation controls in IPsec

[Stephen Kent <kent@bbn.com>]

Return-Path: <kent@bbn.com>
Received: from [128.89.88.34] (comsec.bbn.com [128.89.88.34])
	by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id h5UDKED9009711;
	Mon, 30 Jun 2003 09:20:16 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@po2.bbn.com
Message-Id: <p05210604bb20a15dcd7c@[10.1.71.211]>
In-Reply-To: <16122.55806.305977.986255@ryijy.hel.fi.ssh.com>
References: <p05210618bb1fd593f2a0@[10.1.71.211]>
  <16122.55806.305977.986255@ryijy.hel.fi.ssh.com>
Date: Mon, 30 Jun 2003 09:14:20 -0400
To: Tero Kivinen <kivinen@ssh.fi>
From: Stephen Kent <kent@bbn.com>
Subject: Re: IKE negotiation for fragmentation controls in IPsec
Cc: ipsec@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)

At 2:33 PM +0300 6/26/03, Tero Kivinen wrote:
>Stephen Kent writes:
>>  for this SA, because none will be sent by this transmitter. So, I
>>  suggest that we add a paylod to IKE to allow an initiator to indicate
>>  the intent to never send ciphertext fragments. The responder can take
>>  advantage of this info to better protect itself, or it can ignore the
>>  info, but it needs to be told to be able to take advantage of the
>>  capability. I would also like to see the responder be able to notify
>>  the initiator of its intent re the companion (reverse) SA, if
>>  appropriate.
>
>Would it be enough to have
>----------------------------------------------------------------------
>         FRAGMENTATION_BEFORE_IPSEC		24587
>
>             By sending this notification the sender announces that it
>             can process packets which are fragmented before being
>             encapsulated to the IPSec packets, i.e the recipient of
>             this notification can send such packets and assume that
>             the other end can process them. If this notification
>             payload is sent by both ends (i.e both ends support this
>             feature), then both ends MUST NOT send packets fragmented
>             after the IPsec encapsulation and SHOULD (configurable by
>             local policy) reject incoming packets which are fragmented
>             after IPsec encapsulation (i.e as the other end must not
>             send them it was either some other router which fragmented
>             it or it was an attack).
>----------------------------------------------------------------------

This does not really convey the right semantics.  What we want is for 
the sender of the payload to say "I will NOT send any post-IPsec 
encapsulation fragments." Any receiver MUST be able to accommodate 
fragments that occur prior to IPsec encapsulation, because these 
fragments could have been generated by a host before arriving at the 
IPsec device. The goal of the proposed payload is to inform the 
receiver so that the receiver can mark an SAD entry to reject all 
fragments that arrive (prior to IPsec encalsulation).

>
>in the section 3.10.1 Notify Message Types - STATUS TYPES?
>
>>  A logical (but admittedly separable) companion to this feature is to
>>  allow the initiator to request the responder to accept fragments on
>>  an SA where port fields are used as selectors. The issue here is that
>>  a host may send fragments to an IPsec device that requires port field
>>  examination for the SA to which the fragments will be mapped. It
>>  seems reasonably safe to allow fragments (with a suitable, minimum
>>  offset) to pass through such as SA, with only the initial fragment
>>  having the port fields examined. This is a separate negotiation
>>  because the fragments arise from hosts behind the IPsec device, but
>>  it is related, because if one fragments at the sending IPsec device,
>>  it would be nice to be able to use this feature to allow the receiver
>>  to pass on fragments, not reassemble them (in the case of a SG).
>
>The normal processing of those packets on the firewalls is to put
>those non-first fragments to (small) queue and when the first fragment
>then arrives, then do the policy check and forward the first fragment
>and all additional fragments forward (and also mark the fragment id so
>that all future fragments to same packet will get through for some
>time). Also care should be taken that the any fragments do not
>overwrite anything from the first fragment that was used for the
>policy checks (i.e the port numbers are not overwritten by later
>non-first fragment).
>
>I am not sure that we should allow sending of the non-first fragments
>to IPsec SAs using the port selectors unless we have validated that
>the port numbers match the policy. There is no need to do the actual
>reassembly, simply queuing the non-first framents coming before the
>first fragment and adding entry that will allow rest of the fragments
>to the packet to get through for some time is enough.


We agree that there is no need for a receiver to reassemble. However, 
so long as we prevent fragments with too-short offsets from 
traversing an SA, I'm not sure much damage (other than a form of DoS 
on an SA where the Source and Dest IP addresses are already 
acceptable) will be done if we allow fragments to pass before we see 
the initial fragment at the receiver.  That avoids the need for any 
buffering at the receiver, which it self might create DoS concerns.

Steve