A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways
Authors : Vincent Roca
Saikou Fall
Filename : draft-roca-ipsecme-ptb-pts-attack-00.txt
Pages : 16
Date : 2015-07-06
Abstract:
This document introduces the "Packet Too Big"-"Packet Too Small"
Internet Control Message Protocol (ICMP) based attack against IPsec
gateways. We explain how an attacker having eavesdropping and packet
injection capabilities, from the unsecure network where he only sees
encrypted packets, can force a gateway to reduce the Path Maximum
Transmission Unit (PMTU) of an IPsec tunnel to the minimum, which can
trigger severe issues for the hosts behind this gateway: with a Linux
host, depending on the PMTU discovery algorithm in use (i.e., PMTUd
versus PLPMTUd) and protocol (TCP versus UDP), the attack either
creates a Denial of Service or major performance penalties. This
attack highlights two fundamental problems, namely: (1) the
impossibility to distinguish legitimate from illegitimate ICMP
packets coming from the untrusted network, and (2) the contradictions
in the way Path MTU is managed by some end hosts when this Path MTU
is below the minimum packet size any link should support because of
the IPsec encapsulation.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-roca-ipsecme-ptb-pts-attack/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
