On 10/27/2013 10:41 PM, Valery Smyslov wrote:
Always setting DF bit in this case will probably increase the delay
before IKE SA is set up (as more probes will need to be done).
Except that if you continue to allow IP fragmentation, you can't claim
your solution is robust to IP fragment poisoning.
I think it is.
Consider the situation when IKE responder is under attack
via IP fragmentation (no matter which - poisoning attack or memory
exhausting attack). In any case responder will not be able to reply.
After some (short) timeout initiator will try to apply IKE Fragmentation.
Then, if those new messages are not fragmented on the path, they
will bypass reassembly code on responder and the attack will
be thwarted. If those messages are fragmented, even with their
smallest allowed size, then it doesn't matter whether DF bit is set or not.
If it is set, fragmenting device will drop messages, if it is not set,
than attack will not be thwarted. Nothing can be done.
You're not proposing to use the smallest size, which would be 68 bytes.
So by not setting DF, you're enabling a fragmentation attack. If you set
DF, a receiver could drop all fragments from addresses it wants to
protect against IKE fragment poisoning.
Joe
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
