ICMP: an Attack Vector against IPsec Gateways

Ludovic Jacquin 1, 2, * Vincent Roca 1 Jean-Louis Roch 2, *
* Auteur correspondant
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
2 MOAIS - PrograMming and scheduling design fOr Applications in Interactive Simulation
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
Abstract : In this work we show that the Internet Control Message Protocol (ICMP) can be used as an attack vector against IPsec gateways. The main contribution of this work is to demonstrate that an attacker having eavesdropping and traffic injection capabilities in the black untrusted network (he only sees ciphered packets), can force a gateway to reduce the Path MTU of an IPsec tunnel to a minimum, which in turn creates serious issues for devices on the trusted network behind this gateway: depending on the Path MTU discovery algorithm, it either prevents any new TCP connection (Denial of Service), or it creates major performance penalties (more than 6 seconds of delay in TCP connection establishment and ridiculously small TCP segment sizes). After detailing the attack and the behavior of the various nodes, we discuss some counter measures, with the goal to find a balance between ICMP benefits and the associated risks.
Keywords : security network IPsec ICMP
Type de document :
Pré-publication, Document de travail
2013
Liste complète des métadonnées

Littérature citée [18 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00879997
Contributeur : Ludovic Jacquin <>
Soumis le : mardi 5 novembre 2013 - 11:10:54
Dernière modification le : vendredi 12 octobre 2018 - 01:17:58
Document(s) archivé(s) le : jeudi 6 février 2014 - 04:35:56

Fichier

paper.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00879997, version 1

Citation

Ludovic Jacquin, Vincent Roca, Jean-Louis Roch. ICMP: an Attack Vector against IPsec Gateways. 2013. 〈hal-00879997〉

Partager

Métriques

Consultations de la notice

628

Téléchargements de fichiers

618