Skip to Main content Skip to Navigation
New interface
Conference papers

Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways

Ludovic Jacquin 1 Vincent Roca 1, * Jean-Louis Roch 2, * 
* Corresponding author
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Lyon
2 MOAIS - PrograMming and scheduling design fOr Applications in Interactive Simulation
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
Abstract : This work introduces the "Packet Too Big"-"Packet Too Small" ICMP based attack against IPsec gateways. We explain how an attacker having eavesdropping and packet injection capabilities, from the insecure network where he only sees encrypted packets, can force a gateway to reduce the Path MTU of an IPsec tunnel to the minimum, which triggers severe issues for the hosts behind this gateway: depending on the Path MTU discovery algorithm in use, the attack either creates a Denial of Service or major performance penalties. This attack highlights two fundamental problems that we discuss, along with potential counter-measures to mitigate the attack while keeping ICMP benefits.
Complete list of metadata

Cited literature [20 references]  Display  Hide  Download
Contributor : Vincent Roca Connect in order to contact the contributor
Submitted on : Tuesday, July 29, 2014 - 12:24:17 PM
Last modification on : Thursday, August 4, 2022 - 5:18:35 PM
Long-term archiving on: : Tuesday, November 25, 2014 - 8:12:29 PM


Files produced by the author(s)


  • HAL Id : hal-01052994, version 1


Ludovic Jacquin, Vincent Roca, Jean-Louis Roch. Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways. IEEE Global Communications Conference (GLOBECOM'14), John Donovan (general chair), Dec 2014, Austin, United States. ⟨hal-01052994⟩



Record views


Files downloads