Always setting DF bit in this case will probably increase the delay
before IKE SA is set up (as more probes will need to be done).
Except that if you continue to allow IP fragmentation, you can't claim
your solution is robust to IP fragment poisoning.
I think it is.
Consider the situation when IKE responder is under attack
via IP fragmentation (no matter which - poisoning attack or memory
exhausting attack). In any case responder will not be able to reply.
After some (short) timeout initiator will try to apply IKE Fragmentation.
Then, if those new messages are not fragmented on the path, they
will bypass reassembly code on responder and the attack will
be thwarted. If those messages are fragmented, even with their
smallest allowed size, then it doesn't matter whether DF bit is set or not.
If it is set, fragmenting device will drop messages, if it is not set,
than attack will not be thwarted. Nothing can be done.
Resume: setting DF bit in situation when even the smallest IKE Fragment
messages are still fragmented by IP will definitely prevent IKE to work.
Unsetting it will leave a chance (as with any DoS attack).
It does, in Section 3.3.
Sorry - I missed that. But that section also gives good reasons why this
is a bad idea in IKE too.
It lists some drawbacks: added complexity and lack of individual ACKs.
They were discussed by WG and found acceptable.
It suggests using TCP instead. That was considered by WG,
but rejected due to numerous issues.
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
