Consider the situation when IKE responder is under attack
via IP fragmentation (no matter which - poisoning attack or memory
exhausting attack). In any case responder will not be able to reply.
After some (short) timeout initiator will try to apply IKE Fragmentation.
Then, if those new messages are not fragmented on the path, they
will bypass reassembly code on responder and the attack will
be thwarted. If those messages are fragmented, even with their
smallest allowed size, then it doesn't matter whether DF bit is set or
not.
If it is set, fragmenting device will drop messages, if it is not set,
than attack will not be thwarted. Nothing can be done.
You're not proposing to use the smallest size, which would be 68 bytes.
No, as it is not possible with this solution. Depending on algorithms
involved
the smallest IP packet containing IKE message is about
100 bytes, and it is almost useless as in this case it contains only
a few bytes of useful data. The minimum IP packet size still useful
would be about 256 bytes.
So by not setting DF, you're enabling a fragmentation attack. If you set
DF, a receiver could drop all fragments from addresses it wants to protect
against IKE fragment poisoning.
Yes. But if even the smallest IKE messages are to be fragmented
by intermediate node, then setting DF bit (or dropping all IP fragments)
will just not enable IKE to succeed. By not setting it we give IKE a chance.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
