Since IP packet reassembly requires resources, a denial of service attack can be mounted by swamping a receiver with IP fragments. In this paper we argue how this attack need not affect protocols that do not rely on IP fragmentation, and argue how most protocols, e.g., those that run on top of TCP, can avoid the need for fragmentation. However, protocols such as IPsec's IKE protocol, which both runs on top of UDP and requires sending large packets, depend on IP packet reassembly. Photuris, an early proposal for IKE, introduced the concept of a stateless cookie, intended for DoS protection. However, the stateless cookie mechanism cannot protect against a DoS attack unless the receiver can successfully receive the cookie, which it will not be able to do if reassembly resources are exhausted. Thus, without additional design and/or implementation defenses, an attacker can successfully, through a fragmentation attack, prevent legitimate IKE handshakes from completing. Defense against this attack requires both protocol design and implementation defenses. The IKEv2 protocol was designed to make it easy to design a defensive implementation. This paper explains the defense strategy designed into the IKEv2 protocol, along with the additional needed implementation mechanisms. It also describes and contrasts several other potential strategies that could work for similar UDP-based protocols.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A., Reingold, O., "Just Fast Keying (JFK)", draft-ietf-ipsec-jfk-00.txt, Nov 2001.
	2	Aiello, W., Bellovin, S., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A., Reingold, O., draft-ietf-ipsec-jfk-03, April 2002.
	3	Harkins, D., and Carrel, D., "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
	4	Harkins, D., Kaufman, C., and Perlman, R., "The Internet Key Exchange (IKE) Protocol, draft-ietf-ipsec-ikev2-00.txt, Nov 2001.
	5	Harkins, D., Kaufman, C., Kent, S., Kivinen, T., and Perlman, R., "The Internet Key Exchange (IKE) Protocol, draft-ietf-ipsec-ikev2-01.txt, Feb 2002.
	6	Harkins, D., Kaufman, C., Kent, S., Kivinen, T., and Perlman, R., "Design Rationale for IKEv2, draft-ietf-ipsec-ikev2-rationale-00.txt, Feb 2002.
	7	Jussipekka Leiwo , Tuomas Aura , Pekka Nikander, Towards Network Denial of Service Resistant Protocols, Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures, p.301-310, August 22-24, 2000
	8	Karn, P., "The Photuris Key Management Protocol", internet draft draft-karn-photuris-00.txt, December 1994.
	9	C. A. Kent , J. C. Mogul, Fragmentation considered harmful, Proceedings of the ACM workshop on Frontiers in computer communications technology, p.390-401, August 11-13, 1987, Stowe, Vermont, United States
	10	Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, November 1990.
	11	Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November, 1998.
	12	Radia Perlman , Charlie Kaufman, Key Exchange in IPSec: Analysis of IKE, IEEE Internet Computing, v.4 n.6, p.50-56, November 2000  [doi>10.1109/4236.895016]
	13	Radia J. Perlman , Charlie Kaufman, Analysis of the IPSec Key Exchange Standard, Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.150-156, June 20-22, 2001
	14	William Allen Simpson, Photuris: Design Criteria, Proceedings of the 6th Annual International Workshop on Selected Areas in Cryptography, p.226-242, August 09-10, 1999
	15	Simpson, W. A., "IKE/ISAKMP Considered Harmful", Usenix ;login, December 1999, Volume 24, Number 6.