Re: IKE negotiation for fragmentation controls in IPsec

[Stephen Kent <kent@bbn.com>]

At 1:16 AM +0300 7/1/03, Markku Savela wrote:
>  > From: Stephen Kent <kent@bbn.com>
>>
>>  if we fragment after IPsec encapsulation, then ANYONE can send
>>  fragments that could cause the IPsec implementation trouble,
>
>You probably don't mean "trouble", such as crashing. Injecting a fake
>"fragment" would just make IPsec on the assembled packet fail the
>checks. This is the trouble you mean?

yes, I do mean trouble as in running out of buffer space due to 
getting lots of bogus, non-initial fragments, and behaving badly as a 
result :-)

>Yes, that is a danger, fragmenting after IPsec makes it easier for the
>attacker to cause packets to be lost (dropped by IPsec).

I Not just lost, but to deluge the receiver with bogus, non-initial fragments

>
>>  if we fragment before encapsulation (but after doing the SPD checks),
>>  then we expose the stack behind the implementation to attacks, but
>
>Ugh.. fragmenting before IPsec would be somewhat akward with "bump in
>stack" implementation (at least for me it would be rather major
>architectural change). However, as implementation never fragments TCP
>packets, only issue is with large UDP packets. Oh well..

Yes, we have to live with the potential for large UDP packets too. 
Even IPv6 does not preclude a host from sending fragments "natively" 
so we have to deal with this issue in some way.

Steve