[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
At 12:10 PM +0200 3/15/04, Tero Kivinen wrote:
>Stephen Kent writes:
>> > ================== attack data from clear packets
>> > ** data from real ESP protected packet
>> >
>> >If the attack data comes before the ESP packet(s), only the still
>> >missing parts in the assembly are filled from the protected data (and
>> >this could be as little as the TCP header -- the first attack content
>> >can begin at the payload offset 8).
>> in the case of v4, it is possible for a receiver to perform a simple
>> sanity check on offset values to reject this sort of attack. since
>> the PMTU min for v4 is 576, and since the max header size is 60
>> bytes, one could adopt a conservative value such as 128 for the
>> offset in a non-initial fragment, and prevent reassembly attacks.
>> this check can be applied to all non-initial fragments, whether they
>> arrive via an SA or as bypass traffic.
>
>How about the following attack. The A is the sender behind SGW1, The B
>is the receiver behind SGW2. The connection between SGW1 and SGW2 is
>protected by the ESP for port 25 and all other traffic is sent in
>clear. This means SGW1 and SGW2 will accept non-first fragments in
>clear:
>
>A ----- SGW1 <====== M ====> SGW2 ---- B
>
>A sends 2000 byte packet fragmented to 2 pieces p1 and p2, each 1000
>bytes.
>
> A -> B (first fragment, bytes 0-1000)
> A -> B (non-first fragment, bytes 1001-2000)
>
>The SGW1 will encrypt the packets (lets say it uses the rule that all
>non-first fragments are sent using the ESP, i.e. receiving identical
>protection than the first-fragments).
>
> SGW1 -> SGW2 (ESP Tunnel A->B, first fragment, bytes 0-1000)
> SGW1 -> SGW2 (ESP Tunnel A->B, non-first fragment, bytes 1001-2000)
>
>Attacker M deletes the second packet from the wire, and replaces it
>with clear text packet:
>
> A -> B (different non-first fragment, bytes 1001-2000)
>
>SGW2 will decrypt the first fragment, and let the second packet go
>through in clear (the policy said that there is only ESP protection
>for port 25, so the non-first framgment is not against the policy).
>
>
>B will receive 2 fragments
>
> A -> B (first fragment, bytes 0-1000)
> A -> B (different non-first fragment, bytes 1001-2000)
>
>where the first one is really from the other end the second one was
>inserted in by the attacker. There are 2 ways for the SGW2 to protect
>against this attack:
>
> 1) Require ESP protection for all non-first fragment
> 2) Do partial or full reassembly for all fragments going
> through (not only those protected by ESP) and verify that
> the packets match the policy.
the proposal to carry all non-initial fragments on an SA between two
sites would require that a receiver reject all plaintext fragments
that appear to be from a site with which IPsec protection was
employed. that seems to be consistent with #1 above. #2 would work,
in the contexts where there is only one SG serving a site.
Steve
Steve
- References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>