[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: swIPe comments

To: jfjr@mbunix.mitre.org
Subject: Re: swIPe comments
From: Phil Karn <karn@qualcomm.com>
Date: Thu, 23 Jun 1994 14:31:59 -0700
Cc: ipsec@ans.net
In-Reply-To: <199406221353.JAA02898@mbunix.mitre.org> (jfjr@mbunix.mitre.org)

>  We have modified our swIPe implementation slightly by adding host
>filtering. Once swIPe is turned on - the ifconfigs and ioctls have
>been issued - any packets from a designated swIPed partner that are
>not swIPed are rejected. This is a few lines of code, mainly in ip_input.

What happens if the remote peer crashes and loses its swIPe state? How
can you reestablish the security association if you block all non-swIPed
packets?

I've been giving this particular problem a LOT of thought. Your
protocol can allow for crashed hosts, but it's easy to leave yourself
open to simple denial-of-service attacks if you're not careful.

BTW, by a "simple" denial of service attack I mean the class of
attacks that could be mounted by anyone anywhere on the Internet by
using false IP source addresses WITHOUT subverting Internet routing or
having physical access to some particular Internet path (e.g., between
two legitimate security peers).

Although everyone knows that it's impossible to preclude ALL denial of
service attacks on the Internet, the "simple" class is *so* easy to do
that I think any protocol we design ought to take them into account.

Phil

Follow-Ups:

swIPe comments

From: jfjr@mbunix.mitre.org (Freedman)

References:

swIPe comments

From: jfjr@mbunix.mitre.org (Freedman)

Prev by Date: Re: Re[2]: Granularity of authentication in swIPe
Next by Date: Re: Granularity of authentication in swIPe
Prev by thread: swIPe comments
Next by thread: swIPe comments
Index(es):
- Main
- Thread