Hello everybody, Here is a new I-D.
The idea is that some end-hosts, depending on their exact configuration, may strangely react in situations where they are asked to reduce their outgoing packet size (PMTU) below what any link should accept (the 576 / IPv4 and 1280 / IPv6 magic values). Do not hesitate if you have comments/questions. I’ll also be at Prague, even if it’s not in the WG agenda. Cheers, Vincent and Saikou > De: [email protected] > Objet: New Version Notification for draft-roca-ipsecme-ptb-pts-attack-00.txt > Date: 6 juillet 2015 16:47:15 UTC+2 > À: "Vincent Roca" <[email protected]>, "Saikou Fall" > <[email protected]> > > > A new version of I-D, draft-roca-ipsecme-ptb-pts-attack-00.txt > has been successfully submitted by Vincent Roca and posted to the > IETF repository. > > Name: draft-roca-ipsecme-ptb-pts-attack > Revision: 00 > Title: Too Big or Too Small? The PTB-PTS ICMP-based Attack > against IPsec Gateways > Document date: 2015-07-06 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/internet-drafts/draft-roca-ipsecme-ptb-pts-attack-00.txt > Status: > https://datatracker.ietf.org/doc/draft-roca-ipsecme-ptb-pts-attack/ > Htmlized: > https://tools.ietf.org/html/draft-roca-ipsecme-ptb-pts-attack-00 > > > Abstract: > This document introduces the "Packet Too Big"-"Packet Too Small" > Internet Control Message Protocol (ICMP) based attack against IPsec > gateways. We explain how an attacker having eavesdropping and packet > injection capabilities, from the unsecure network where he only sees > encrypted packets, can force a gateway to reduce the Path Maximum > Transmission Unit (PMTU) of an IPsec tunnel to the minimum, which can > trigger severe issues for the hosts behind this gateway: with a Linux > host, depending on the PMTU discovery algorithm in use (i.e., PMTUd > versus PLPMTUd) and protocol (TCP versus UDP), the attack either > creates a Denial of Service or major performance penalties. This > attack highlights two fundamental problems, namely: (1) the > impossibility to distinguish legitimate from illegitimate ICMP > packets coming from the untrusted network, and (2) the contradictions > in the way Path MTU is managed by some end hosts when this Path MTU > is below the minimum packet size any link should support because of > the IPsec encapsulation. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
