[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: kent@bbn.com
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Sat, 13 Mar 2004 00:16:15 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <p06020402bc77a2d65e93@[128.89.89.75]> (message from Stephen Kenton Fri, 12 Mar 2004 12:41:15 -0500)
References: <5.2.0.9.0.20040225161626.020c34e0@email> <Your message of"Tue, 24 Feb 2004 17:44:50 EST."<5.2.0.9.0.20040224173754.0290be48@email><5.2.0.9.0.20040225161626.020c34e0@email><5.2.0.9.0.20040226095435.0208aa50@email><200403051131.i25BV3ji006208@burp.tkv.asdf.org> <p06020402bc77a2d65e93@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

> From: Stephen Kent <kent@bbn.com>
> At 1:31 PM +0200 3/5/04, Markku Savela wrote:

> >Consider mobile node M communicating with server S behing the security
> >gateway SG. Assume S fragments some data going towards M, and assume
> >there is a port specific policy:
> >
> >   PORT=A, send in clear
> >   PORT=B, use ESP
> >   PORT=C, use AH
> >
> >  M <==== IPSEC ====> SG <---> S

> >First SG: It has been said it is not acceptable to require SG to do
> >packet assembly before the IPSEC. If so, then NONE of the selectors
> >affecting the M <-> SG traffic can have port selectors.
> 
> more precisely, all of the traffic between M and SG must be treated 
> uniformly wrt ports, otherwise non-initial fragments cannot be 
> assured the intended treatment. of course, one could also state that 
> IF there were a total ordering on security, then affording 
> non-initial fragments the most secure treatment would not "under 
> protect" any traffic, although it might "over protect" it. so, the 
> characterization above is not quite right.

From a set of ESP and AH choices, how do you order them? Which ESP is
better protection over another ESP? Is AH better than ESP without
authentication?

> >If you have port selectors, you cannot let the packets through until
> >you see the first fragment. (You don't know whether port is A or
> >B).
> 
> but, as noted above, I could choose to map non-initial fragments to 
> the ESP SA, if my concern were to not under protect any traffic.

Yes, but at least my current implementation rejects packets that are
protected validly with ESP or AH, but policy calls for no protection
(or if policy calls for different protection).

> >IPSEC on M must also hold all clear fragments in similar way, until it
> >knows what IPSEC was to be applied.
> 
> each IPsec packet carries an SPI that maps it to an indicated SA, and 
> the crypto checks will fail if it is mapped to the wrong SA. so the 
> statement above is not correct.

Yes, but it must hold clear packets, until it knows their ports. If it
lets a non initial clear packets (no SPI, just plain data, it might be
port=A), through to packet assembly, an attacker can create the
following assembled packet:

    ================== attack data from clear packets
  **                   data from real ESP protected packet

If the attack data comes before the ESP packet(s), only the still
missing parts in the assembly are filled from the protected data (and
this could be as little as the TCP header -- the first attack content
can begin at the payload offset 8).

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPsec and racoon in tunnel-mode
Next by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread