Skip to Main content Skip to Navigation
New interface
Preprints, Working Papers, ...

ICMP: an Attack Vector against IPsec Gateways

Ludovic Jacquin 1, 2, * Vincent Roca 1 Jean-Louis Roch 2, * 
* Corresponding author
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Lyon
2 MOAIS - PrograMming and scheduling design fOr Applications in Interactive Simulation
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
Abstract : In this work we show that the Internet Control Message Protocol (ICMP) can be used as an attack vector against IPsec gateways. The main contribution of this work is to demonstrate that an attacker having eavesdropping and traffic injection capabilities in the black untrusted network (he only sees ciphered packets), can force a gateway to reduce the Path MTU of an IPsec tunnel to a minimum, which in turn creates serious issues for devices on the trusted network behind this gateway: depending on the Path MTU discovery algorithm, it either prevents any new TCP connection (Denial of Service), or it creates major performance penalties (more than 6 seconds of delay in TCP connection establishment and ridiculously small TCP segment sizes). After detailing the attack and the behavior of the various nodes, we discuss some counter measures, with the goal to find a balance between ICMP benefits and the associated risks.
Keywords : security network IPsec ICMP
Document type :
Preprints, Working Papers, ...
Complete list of metadata

Cited literature [18 references]  Display  Hide  Download
Contributor : Ludovic Jacquin Connect in order to contact the contributor
Submitted on : Tuesday, November 5, 2013 - 11:10:54 AM
Last modification on : Thursday, August 4, 2022 - 5:18:35 PM
Long-term archiving on: : Thursday, February 6, 2014 - 4:35:56 AM


Files produced by the author(s)


  • HAL Id : hal-00879997, version 1


Ludovic Jacquin, Vincent Roca, Jean-Louis Roch. ICMP: an Attack Vector against IPsec Gateways. 2013. ⟨hal-00879997⟩



Record views


Files downloads