[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: Stephen Kent <kent@bbn.com>
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Tero Kivinen <kivinen@iki.fi>
Date: Mon, 15 Mar 2004 12:10:52 +0200
Cc: Markku Savela <msa@burp.tkv.asdf.org>, ipsec@lists.tislabs.com
In-reply-to: <p06020409bc77efd96b26@[128.89.89.75]>
References: <5.2.0.9.0.20040225161626.020c34e0@email><Your message of"Tue, 24 Feb 2004 17:44:50 EST."<5.2.0.9.0.20040224173754.0290be48@email><5.2.0.9.0.20040226095435.0208aa50@email><200403051131.i25BV3ji006208@burp.tkv.asdf.org><p06020402bc77a2d65e93@[128.89.89.75]><200403122216.i2CMGFJG016385@burp.tkv.asdf.org><p06020409bc77efd96b26@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> >     ================== attack data from clear packets
> >   **                   data from real ESP protected packet
> >
> >If the attack data comes before the ESP packet(s), only the still
> >missing parts in the assembly are filled from the protected data (and
> >this could be as little as the TCP header -- the first attack content
> >can begin at the payload offset 8).
> in the case of v4, it is possible for a receiver to perform a simple 
> sanity check on offset values to reject this sort of attack. since 
> the PMTU min for v4 is 576, and since the max header size is 60 
> bytes, one could adopt a conservative value such as 128 for the 
> offset in a non-initial fragment, and prevent reassembly attacks. 
> this check can be applied to all non-initial fragments, whether they 
> arrive via an SA or as bypass traffic.

How about the following attack. The A is the sender behind SGW1, The B
is the receiver behind SGW2. The connection between SGW1 and SGW2 is
protected by the ESP for port 25 and all other traffic is sent in
clear. This means SGW1 and SGW2 will accept non-first fragments in
clear:

A ----- SGW1 <====== M ====> SGW2 ---- B

A sends 2000 byte packet fragmented to 2 pieces p1 and p2, each 1000
bytes.

	A -> B (first fragment, bytes 0-1000)
	A -> B (non-first fragment, bytes 1001-2000)

The SGW1 will encrypt the packets (lets say it uses the rule that all
non-first fragments are sent using the ESP, i.e. receiving identical
protection than the first-fragments).

	SGW1 -> SGW2 (ESP Tunnel A->B, first fragment, bytes 0-1000)
	SGW1 -> SGW2 (ESP Tunnel A->B, non-first fragment, bytes 1001-2000)

Attacker M deletes the second packet from the wire, and replaces it
with clear text packet:

	A -> B (different non-first fragment, bytes 1001-2000)

SGW2 will decrypt the first fragment, and let the second packet go
through in clear (the policy said that there is only ESP protection
for port 25, so the non-first framgment is not against the policy).

B will receive 2 fragments

	A -> B (first fragment, bytes 0-1000)
	A -> B (different non-first fragment, bytes 1001-2000)

where the first one is really from the other end the second one was
inserted in by the attacker. There are 2 ways for the SGW2 to protect
against this attack:

	1) Require ESP protection for all non-first fragment
	2) Do partial or full reassembly for all fragments going
	   through (not only those protected by ESP) and verify that
	   the packets match the policy.
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread