Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways

Ludovic Jacquin 1 Vincent Roca 1, * Jean-Louis Roch 2, *
* Corresponding author
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
2 MOAIS - PrograMming and scheduling design fOr Applications in Interactive Simulation
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
Abstract : This work introduces the "Packet Too Big"-"Packet Too Small" ICMP based attack against IPsec gateways. We explain how an attacker having eavesdropping and packet injection capabilities, from the insecure network where he only sees encrypted packets, can force a gateway to reduce the Path MTU of an IPsec tunnel to the minimum, which triggers severe issues for the hosts behind this gateway: depending on the Path MTU discovery algorithm in use, the attack either creates a Denial of Service or major performance penalties. This attack highlights two fundamental problems that we discuss, along with potential counter-measures to mitigate the attack while keeping ICMP benefits.
Complete list of metadatas

Cited literature [20 references]  Display  Hide  Download

https://hal.inria.fr/hal-01052994
Contributor : Vincent Roca <>
Submitted on : Tuesday, July 29, 2014 - 12:24:17 PM
Last modification on : Saturday, June 22, 2019 - 1:44:54 AM
Long-term archiving on : Tuesday, November 25, 2014 - 8:12:29 PM

File

globecom14_ptb-pts_attack.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01052994, version 1

Collections

Citation

Ludovic Jacquin, Vincent Roca, Jean-Louis Roch. Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways. IEEE Global Communications Conference (GLOBECOM'14), John Donovan (general chair), Dec 2014, Austin, United States. ⟨hal-01052994⟩

Share

Metrics

Record views

682

Files downloads

424