[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

To: kent@bbn.com
Subject: Re: IKE negotiation for fragmentation controls in IPsec
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 1 Jul 2003 01:16:32 +0300
CC: ipsec@lists.tislabs.com
In-reply-to: <p05100304bb26604fcf96@[128.89.88.34]> (message from Stephen Kenton Mon, 30 Jun 2003 17:51:25 -0400)
References: <p05210618bb1fd593f2a0@[10.1.71.211]><16122.55806.305977.986255@ryijy.hel.fi.ssh.com><p05210604bb20a15dcd7c@[10.1.71.211]><16128.25732.675945.766298@ryijy.hel.fi.ssh.com><200306301913.h5UJD88P003320@burp.tkv.asdf.org><p05100316bb2640524ba2@[128.89.88.34]><200306302139.h5ULddZx004355@burp.tkv.asdf.org> <p05100304bb26604fcf96@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com


> From: Stephen Kent <kent@bbn.com>
> 
> if we fragment after IPsec encapsulation, then ANYONE can send 
> fragments that could cause the IPsec implementation trouble,

You probably don't mean "trouble", such as crashing. Injecting a fake
"fragment" would just make IPsec on the assembled packet fail the
checks. This is the trouble you mean?

Yes, that is a danger, fragmenting after IPsec makes it easier for the
attacker to cause packets to be lost (dropped by IPsec).

> if we fragment before encapsulation (but after doing the SPD checks),
> then we expose the stack behind the implementation to attacks, but

Ugh.. fragmenting before IPsec would be somewhat akward with "bump in
stack" implementation (at least for me it would be rather major
architectural change). However, as implementation never fragments TCP
packets, only issue is with large UDP packets. Oh well..

References:
- IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>
- IKE negotiation for fragmentation controls in IPsec
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: IKE negotiation for fragmentation controls in IPsec
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: IKEv2 and SCTP support
Next by Date: RE: QoS selectors (was LAST CALL: IKE)
Prev by thread: Re: IKE negotiation for fragmentation controls in IPsec
Next by thread: Re: IKE negotiation for fragmentation controls in IPsec
Index(es):
- Date
- Thread