[IPsec] TSVDIR-ish review of draft-ietf-ipsecme-ikev2-fragmentation-04

Mon, 21 Oct 2013 17:08:15 -0700 

Hi, all,

I've reviewed the following doc for TSVDIR:
        draft-ietf-ipsecme-ikev2-fragmentation-04
Although this is not intended as a complete TSVDIR review, I have checked for the typical issues. 

Joe

-------------------------------------------------------------------

draft-ietf-ipsecme-ikev2-fragmentation-04
This doc makes the case that IKEv2 should implement its own frag/reassembly mechanism, because some NATs don't pass IP fragments.
First, the issue with NATs and fragments should be made more clear, especially citing existing descriptions of this issue, e.g., RFC4787. Note that NATs which do not pass fragments violate RFQ-14 of that BCP RFC, and it might be useful to report this issue to the vendor.
Second, it is not clear why this issue is being handled inside IKE. Appendix A provides a design rationale, but it clearly trades computation and space overhead for local storage, and still permits DOS attacks (e.g., overloading the receiver with false fragments).
An equally viable solution (see ** below) would involve placing a single signed IKE message into a single IP packet, fragmenting that packet, and transmitting those fragments inside UDP datagrams. This approach could use the innermost IP encapsulation as the reassembly layer.
**: Although this approach is susceptible to fragmentation overload, so too is transmitting the original message over IP that is naturally fragmented at the network layer anyway - this introducing no new vulnerability.
This IP-encapsulated IKE message would need the same negotiation described in section 2.3, but would avoid the complexity of most of the rest of the document, relying instead on existing IP reassembly.
In conclusion, I don't see the need for the level of detail and mechanism proscribed, basically because it reinvents the wheel, but see no other substantial issues with it.
Additionally, regarding PMTUD, this should be done using PLMTUD (RFC 4821), and should be described as such. 

---


_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to