Hi,
IP fragmentation is a Bad Thing in general and it is better to avoid it. With TCP traffic the TCP/IP stack usually sends only unfragmented IP packets, so this is usually not a problem (especially if you fool the stack that the MTU is a bit smaller than real, so the packet is still within real MTU size after applying ESP header/trailer/padding/ICV and external IP header). The problem is worse with UDP. In this case it is an application that decides how much data it wants to send in each datagram and there could be fairly large UDP datagrams, that have to be IP fragmented. In tunnel mode they can be either pre-fragmnted (before applying IPsec), or post-fragmented (fragment the resulting ESP packet). In transport mode it is not possible to pre-fragment packets. In general, I think that pre-fragmenting is a bit better, than post-fragmenting. So you’d better to apply ESP to each of IP fragments and send whole IP packets, than apply ESP to a whole packet and then send it as a set of IP fragments. In this case you at least verify each internal IP fragment on receiver, before sending it to IP stack. In the other case you have to reassemble all the fragments before you can verify the ESP packet, and this gives an attacker a nice target for DoS attack. However, the justification is weak, since the IP packets can always be fragmented en route (unless you set Don’t Fragment bit). Regards, Valery. From: IPsec [mailto:[email protected]] On Behalf Of Tobias Guggemos Sent: Thursday, July 20, 2017 11:39 AM To: 'Raja ashok'; [email protected] Cc: IPsecme WG; [email protected] Subject: Re: [IPsec] Suggestions in draft-mglt-lwig-minimal-esp Hey Ashok, thanks for your feedback. For your first comment I tend to agree and I think we can add this to the draft! For the second, I agree with your assumption that tunnels might appear in constrained scenarios (it’s actually one of our main goals for ipsec/esp). However, I’m not sure if this recommendation to not use fragmentation is valid on a security side, why I’d like to give the question to the ipsecme WG, if that does not open any other security issues? Or if there is anything else to consider on that? Thanks Tobias Von: Raja ashok [mailto:[email protected]] Gesendet: Freitag, 14. Juli 2017 16:22 An: [email protected] Cc: [email protected] Betreff: Suggestions in draft-mglt-lwig-minimal-esp Hi Daniel & Tobias, I gone through the lwIG draft for ESP. I am having some doubts and suggestions which are listed below. Please check and provide your comments. 1) For replay protection, RFC 4303 suggests to use 32 or 64 bit window. I feel in this draft, we can recommend to use 32 bit window for replay protection. 2) Tunneled ESP msg with fragmented IP header (in ESP payload) may leads to DoS vulnerability for a constraint receiver. RFC 4303 is suggesting this fragmentation as optional. So I feel we can mention as fragmentation and reassembly is not required to support in tunneled IP header. As it can be handled by the IP header which carries ESP msg. I hope tunneled ESP msg might be required in some scenarios of constraint devices also. Regards, Ashok _____ Company_logo Raja Ashok V K Huawei Technologies Bangalore, India http://www.huawei.com _____ 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
_______________________________________________ Lwip mailing list [email protected] https://www.ietf.org/mailman/listinfo/lwip
