[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE negotiation for fragmentation controls in IPsec
- To: Markku Savela <msa@burp.tkv.asdf.org>
- Subject: Re: IKE negotiation for fragmentation controls in IPsec
- From: Stephen Kent <kent@bbn.com>
- Date: Tue, 1 Jul 2003 10:56:40 -0400
- Cc: ipsec@lists.tislabs.com
- In-Reply-To: <200306302216.h5UMGWb9004806@burp.tkv.asdf.org>
- References: <p05210618bb1fd593f2a0@[10.1.71.211]><16122.55806.305977.986255@ryijy.hel.fi.ssh.com><p05210604bb20a15dcd7c@[10.1.71.211]><16128.25732.675945.766298@ryijy.hel.fi.ssh.com><200306301913.h5UJD88P003320@burp.tkv.asdf.org><p05100316bb2640524ba2@[128.89.88.34]><200306302139.h5ULddZx004355@burp.tkv.asdf.org><p05100304bb26604fcf96@[128.89.88.34]><200306302216.h5UMGWb9004806@burp.tkv.asdf.org>
- Sender: owner-ipsec@lists.tislabs.com
At 1:16 AM +0300 7/1/03, Markku Savela wrote:
> > From: Stephen Kent <kent@bbn.com>
>>
>> if we fragment after IPsec encapsulation, then ANYONE can send
>> fragments that could cause the IPsec implementation trouble,
>
>You probably don't mean "trouble", such as crashing. Injecting a fake
>"fragment" would just make IPsec on the assembled packet fail the
>checks. This is the trouble you mean?
yes, I do mean trouble as in running out of buffer space due to
getting lots of bogus, non-initial fragments, and behaving badly as a
result :-)
>Yes, that is a danger, fragmenting after IPsec makes it easier for the
>attacker to cause packets to be lost (dropped by IPsec).
I Not just lost, but to deluge the receiver with bogus, non-initial fragments
>
>> if we fragment before encapsulation (but after doing the SPD checks),
>> then we expose the stack behind the implementation to attacks, but
>
>Ugh.. fragmenting before IPsec would be somewhat akward with "bump in
>stack" implementation (at least for me it would be rather major
>architectural change). However, as implementation never fragments TCP
>packets, only issue is with large UDP packets. Oh well..
Yes, we have to live with the potential for large UDP packets too.
Even IPv6 does not preclude a host from sending fragments "natively"
so we have to deal with this issue in some way.
Steve