• DocumentCode
    265673
  • Title

    Too big or too small? The PTB-PTS ICMP-based attack against IPsec gateways

  • Author

    Jacquin, Ludovic ; Roca, Vincent ; Roch, Jean-Louis

  • Author_Institution
    Inria, Sophia-Antipolis, France
  • fYear
    2014
  • fDate
    8-12 Dec. 2014
  • Firstpage
    530
  • Lastpage
    536
  • Abstract
    This work introduces the "Packet Too Big"-"Packet Too Small" ICMP based attack against IPsec gateways. We explain how an attacker having eavesdropping and packet injection capabilities, from the insecure network where he only sees encrypted packets, can force a gateway to reduce the Path MTU of an IPsec tunnel to the minimum, which triggers severe issues for the hosts behind this gateway: depending on the Path MTU discovery algorithm in use, the attack either creates a Denial of Service or major performance penalties. This attack highlights two fundamental problems that we discuss, along with potential counter-measures to mitigate the attack while keeping ICMP benefits.
  • Keywords
    IP networks; computer network security; IPsec gateways; PTB-PTS ICMP-based attack; denial of service; internet control message protocol; packet too big; packet too small; path MTU discovery algorithm; path maximum transmission unit discovery; Cryptography; IP networks; Information systems; Logic gates; Payloads; Protocols;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Global Communications Conference (GLOBECOM), 2014 IEEE
  • Conference_Location
    Austin, TX
  • Type

    conf

  • DOI
    10.1109/GLOCOM.2014.7036862
  • Filename
    7036862
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=265673