On Thu, Mar 31, 2016 at 8:59 AM, Miroslav Lichvar <[email protected]> wrote:
> On Thu, Mar 31, 2016 at 01:58:35PM +0200, [email protected] wrote: > > To be honest, we had never assumed for IP fragmentation (on one request > > and one response) to be a huge problem. > > One request and response could still be a problem. If the client is > not able to receive fragmented packets, it won't be able to initialize > the NTS association. > > Right, to second that, there are middleboxes that block fragmented packets. > > If people see grave problems with it, we would welcome an elaboration > as to why this is. > > I'm not sure and I was hoping others would comment on that. It seems > to me problems with IPv4 fragmentation are quite common due to > firewalls dropping ICMP packets or IP fragments, and IPv6 doesn't seem > to recommend sending packets larger than 1500. > To add to that, fragmentation is commonly used as an attack vector. I would strongly discourage the use of IP fragmentation in what is supposed to be a security protocol. Please see these references for a small sampling of examples. https://www.nanog.org/sites/default/files/mon.general.fragmentation.bonica.pdf http://www.hpl.hp.com/techreports/Compaq-DEC/WRL-87-3.pdf http://arxiv.org/abs/1205.4011 https://media.blackhat.com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP.pdf http://www.iss.net/security_center/reference/vuln/TearDrop.htm https://www.offensive-security.com/wifu/Fragmentation-Attack-in-Practice.pdf Even if you don't see a SPECIFIC attack on NTS in these papers, my point is that we can usually find a way to exploit IP fragmentation in unexpected ways to break security. This has happened over and over in the last two decades on many different protocols. In fact this is exactly what we did in our recent NTP paper, Section VI: .https://eprint.iacr.org/2015/1020.pdf I would strongly object to having NTS rely on IP fragmentation. This would be a horrible design decision. Thanks, Sharon
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
