Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

On May 30, 2022, at 12:25 PM, Tero Kivinen wrote: > > I think we need to add text explaining how to detect when the TCP > length framing gets messed up by attacks, and how to recover (i.e., > close down the TCP channel and recreate the TCP channel). The impact of RSTs can be limited for this

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Valery Smyslov writes: > If the TCP connection is abandoned (for any reason) and the > associated IKE SA is still up, then the IKE initiator will re-create > it. So, it is not a big deal, but definitely can influence > performance. On the other hand, an attacker who is able to alter the > packets

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

... > On May 30, 2022, at 9:21 AM, Valery Smyslov wrote: > > > From: to...@strayalpha.com > [mailto:to...@strayalpha.com ] > Sent: Monday, May 30, 2022 7:00 PM > To: Valery Smyslov > Cc: Christian Huitema; sec...@ietf.org

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

From: to...@strayalpha.com [mailto:to...@strayalpha.com] Sent: Monday, May 30, 2022 7:00 PM To: Valery Smyslov Cc: Christian Huitema; sec...@ietf.org; draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org; last-c...@ietf.org Subject: Re: [Last-Call] Secdir last call review of

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

It might be useful to add that most of those injection attacks are similar to the kind of attack possible when IPsec is carried inside IP tunnels or UDP tunnels when IPsec messages are split across tunnel messages. In those cases, the vulnerability depends on the predictability of the fragment

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Joe, Christian, From: to...@strayalpha.com [mailto:to...@strayalpha.com] Sent: Monday, May 30, 2022 6:21 PM To: Christian Huitema Cc: Valery Smyslov; sec...@ietf.org; draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org; last-c...@ietf.org Subject: Re: [Last-Call] Secdir last call

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

> On May 30, 2022, at 8:00 AM, Christian Huitema wrote: > > The bar against TCP injection attacks might be lower than you think. An > attacker that sees the traffic can easily inject TCP packet with sequence > number that fit in the flow control window and are ahead of what the actual >

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

On 5/30/2022 4:52 AM, Valery Smyslov wrote: Hi Christian, thank you for your review! Please, find my comments inline. -Original Message- From: Christian Huitema via Datatracker [mailto:nore...@ietf.org] Sent: Sunday, May 29, 2022 12:15 AM To: sec...@ietf.org Cc:

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Hi Christian, thank you for your review! Please, find my comments inline. > -Original Message- > From: Christian Huitema via Datatracker [mailto:nore...@ietf.org] > Sent: Sunday, May 29, 2022 12:15 AM > To: sec...@ietf.org > Cc: draft-ietf-ipsecme-rfc8229bis@ietf.org; ipsec@ietf.org;