Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

[Ronald Bonica]

Hi Kathleen,

Thanks, I will post an updated version of the draft.

Regarding Fred’s question, an attacker can send ICMP PTB to the GRE ingress 
node. When this happens, the GRE ingress node’s estimation of the PMTU and GMTU 
become inaccurate. That is why the draft says:

“PMTU Discovery is vulnerable to two denial of service attacks (see Section 8 
of [RFC1191] for details). Both attacks are based upon on a malicious party 
sending forged ICMPv4 Destination Unreachable or ICMPv6 Packet Too Big messages 
to a host. In the first attack, the forged message indicates an inordinately 
small PMTU. In the second attack, the forged message indicates an inordinately 
large MTU. In both cases, throughput is adversely affected. On order to 
mitigate such attacks, GRE implementations include a configuration option to 
disable PMTU discovery on GRE tunnels. Also, they can include a configuration 
option that conditions the behavior of PMTUD to establish a minimum PMTU.”

                                                                               
Ron


From: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
Sent: Thursday, May 14, 2015 9:11 PM
To: Templin, Fred L
Cc: Ronald Bonica; Suresh Krishnan; draft-ietf-intarea-gre-...@ietf.org; 
int-area@ietf.org; draft-ietf-intarea-gre-mtu...@ietf.org; 
draft-ietf-intarea-gre-mtu.sheph...@ietf.org; The IESG; intarea-cha...@ietf.org
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: 
(with DISCUSS)

Hi Ron,

I like the updated text, thank you!

I'm interested to hear the answer to Fred's question too.

Thanks,
Kathleen

Sent from my iPhone

On May 14, 2015, at 4:13 PM, "Templin, Fred L" 
<fred.l.temp...@boeing.com<mailto:fred.l.temp...@boeing.com>> wrote:
Hi Ron,

Isn’t it true that a DoS attack based on forged PTB messages can be mounted even
if the subject and attacker are both located within the same administrative 
domain,
i.e., an “insider attack”?

Thanks – Fred
fred.l.temp...@boeing.com<mailto:fred.l.temp...@boeing.com>

From: Int-area [mailto:int-area-boun...@ietf.org] On Behalf Of Ronald Bonica
Sent: Thursday, May 14, 2015 12:44 PM
To: Kathleen Moriarty; Suresh Krishnan
Cc: 
draft-ietf-intarea-gre-...@ietf.org<mailto:draft-ietf-intarea-gre-...@ietf.org>;
 int-area@ietf.org<mailto:int-area@ietf.org>; 
draft-ietf-intarea-gre-mtu...@ietf.org<mailto:draft-ietf-intarea-gre-mtu...@ietf.org>;
 
draft-ietf-intarea-gre-mtu.sheph...@ietf.org<mailto:draft-ietf-intarea-gre-mtu.sheph...@ietf.org>;
 The IESG; intarea-cha...@ietf.org<mailto:intarea-cha...@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on 
draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

Kathleen,

The following is an updated Security Considerations Section. Does this work?

                                                                                
Ron

Security Considerations
In the GRE fragmentation solution described above, either the GRE payload or 
the GRE delivery packet can be fragmented.  If the GRE payload is fragmented, 
it is typically reassembled at its ultimate destination.  If the GRE delivery 
packet is fragmented, it is typically reassembled at the GRE egress node.

The packet reassembly process is resource intensive and vulnerable to several 
denial of service attacks.  In the simplest attack, the attacker sends 
fragmented packets more quickly than the victim can reassemble them.  In a 
variation on that attack, the first fragment of each packet is missing, so that 
no packet can ever be reassembled.


Given that the packet reassembly process is resource intensive and vulnerable 
to denial of service attacks, operators should decide where reassembly process 
is best performed.  Having made that decision, they should decide whether to 
fragment the GRE payload or GRE delivery packet, accordingly.


Some IP implementations are vulnerable to the Overlapping Fragment Attack [RFC 
1858]. This vulnerability is not specific to GRE and needs to be considered in 
all environments where IP fragmentation is present. [RFC 3128] describes a 
procedure by which IPv4 implementations can partially mitigate the 
vulnerability. [RFC 5722] mandates a procedure by which IPv6-compliant 
implementations are required to mitigate the vulnerability. The procedure 
described in RFC 5722 completely mitigates the vulnerability. Operators SHOULD 
ensure that the vulnerability is mitigated to their satisfaction on equipment 
that they deploy.

PMTU Discovery is vulnerable to two denial of service attacks (see Section 8 of 
[RFC1191]<https://tools.ietf.org/html/rfc1191#section-8> for details).  Both 
attacks are based upon on a malicious party sending forged ICMPv4 Destination 
Unreachable or ICMPv6 Packet Too Big messages to a host.  In the first attack, 
the forged message indicates an inordinately small PMTU.  In the second attack, 
the forged message indicates an inordinately large MTU.  In both cases, 
throughput is adversely affected.  On order to mitigate such attacks, GRE 
implementations include a configuration option to disable PMTU discovery on GRE 
tunnels.  Also, they can include a configuration option that conditions the 
behavior of PMTUD to establish a minimum PMTU.

<NEW




_______________________________________________
Int-area mailing list
Int-area@ietf.org
https://www.ietf.org/mailman/listinfo/int-area