[strongSwan] Question about IKE frag

Emeric POUPON emeric.poupon at stormshield.eu
Wed May 3 13:36:19 CEST 2017


Let's sum up the proposal:
- no: do not announce IKE frag support, drop received IKE fragmented packets
- accept: announce IKE frag support, accept IKE fragmented packets
- yes:  announce IKE frag support, accept IKE fragmented packets and emit fragmented packets using the other option to set the max fragment size.
- force: as before for IKEv1

What do you think? Would you accept such a change?

By the way, is there any known resource attack based on IKE fragmentation? Unfortunately something similar has been discovered on ipsec tools recently https://sourceforge.net/p/ipsec-tools/mailman/message/35428211/



----- Original Message -----
From: "Tobias Brunner" <tobias at strongswan.org>
To: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: "Users" <users at lists.strongswan.org>
Sent: Friday, 28 April, 2017 18:16:59
Subject: Re: [strongSwan] Question about IKE frag

> That would be something like that:
> - no -> announce support (but do not fragment output packets)
> - yes -> announce support and use it to fragment output packets
> What do you think?

You won't be able to completely disable the feature this way.  For
example, if the peer supports it but doesn't fragment the packets
correctly.  That would require at least another possible value (like
`accept` for the `no` option above) or a strongswan.conf option.


More information about the Users mailing list