[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

> From: Stephen Kent <kent@bbn.com>
> if we fragment after IPsec encapsulation, then ANYONE can send 
> fragments that could cause the IPsec implementation trouble,

You probably don't mean "trouble", such as crashing. Injecting a fake
"fragment" would just make IPsec on the assembled packet fail the
checks. This is the trouble you mean?

Yes, that is a danger, fragmenting after IPsec makes it easier for the
attacker to cause packets to be lost (dropped by IPsec).

> if we fragment before encapsulation (but after doing the SPD checks),
> then we expose the stack behind the implementation to attacks, but

Ugh.. fragmenting before IPsec would be somewhat akward with "bump in
stack" implementation (at least for me it would be rather major
architectural change). However, as implementation never fragments TCP
packets, only issue is with large UDP packets. Oh well..