Re: [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

...
On May 30, 2022, at 9:21 AM, Valery Smyslov <svan@xxxxxxxx> wrote:

 
From: touch@xxxxxxxxxxxxxx [mailto:touch@xxxxxxxxxxxxxx] 
Sent: Monday, May 30, 2022 7:00 PM
To: Valery Smyslov
Cc: Christian Huitema; secdir@xxxxxxxx; draft-ietf-ipsecme-rfc8229bis.all@xxxxxxxx; ipsec@xxxxxxxx; last-call@xxxxxxxx
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
 
It might be useful to add that most of those injection attacks are similar to the kind of attack possible when IPsec is carried inside IP tunnels or UDP tunnels when IPsec messages are split across tunnel messages. In those cases, the vulnerability depends on the predictability of the fragment identifier, which can be much smaller than the predictability of being within the TCP receive window sequence space, esp. for long-lived TCP connections.
 
          Do you mean that fragmented packets will never be re-assembled at receiving end and thus dropped?

Or reassembled with incorrect data, then IPsec will decide they fail decryption. Either way, it’s an attack that non-fragmented packets aren’t susceptible to.

 
          We can add the following sentence after the list in the text below:
 
          Note, that data injection attacks are also possible on IP level (e.g. when IP fragmentation is used)
          resulting in DoS attack even if TCP encapsulation is not used.

The useful addition is that the TCP injection attack is easier to do than the IP fragmentation injection attack (or even a GRE fragmentation injection). TCP keeps a long receive window open that’s a sitting target for such attacks (the first byte to the last byte of the entire window of bytes). IP fragmentation does not need to use sequence numbers in order, and even when ti does its “target” “window” is only the number of fragment IDs in round trip, which is a much smaller attack surface.

Joe
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux