[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clogging attacks on SKIP: can we assume Kij is precomputed

To: Ashar.Aziz@eng.sun.com (Ashar Aziz)
Subject: Re: Clogging attacks on SKIP: can we assume Kij is precomputed
From: " " <amir@watson.ibm.com>
Date: Wed, 14 Dec 1994 08:45:38 -0500
Cc: amir@watson.ibm.com, ipsec@ans.net
In-Reply-To: Your message of "Tue, 13 Dec 1994 11:35:49 PST." <9412131935.AA29173@miraj.Eng.Sun.COM>


Ashar and other collegues,

In Ashar's response I found two different issues which we should clarify.
I'll dedicate this note to the first, which is: can we assume in SKIP that
the receiver can pre-compute all Kij pairs. It apprears to me that's what
Ashar suggests:

> First, let me mention that the pair keys Kij always (conceptually)
> exist, and can be precomputed *prior* to any communication attempt.
>

I think this is not reasonable for many applications. In particular, it
is not reasonable for the `firewall' application where a firewall of an
organization is the endpoint of (some) tunnels leading to the organization,
a scenario which the group has decided we must support (see Paul's note).
The number of potential Kij's is simply too large (practically unbounded).

> This can be done by following a prioritized list using the per node
> ACL (which you always need, because otherwise there is no need to
> authenticate).

Allow me to disagree: you don't always need an ACL (certainly not an `explicit
ACL' - even when ACL is needed, many times one can have `wildcards' to specify
large groups). For example, some firewalls may have a policy to allow all
communication in, except for some blacklisted, but also log the event (and
use the authentication to maintain the blacklist). Others may allow all
communication from any machine belonging to specific trading partners or
to all internal machines. While these examples are dramatic for the firewall
scenario, they apply almost as well to `regular' hosts.

> Note that this sort of precomputation cannot be performed
> using traditional (non-SKIP) interactive schemes, because there
> are no shared secrets prior to communication.

Again I must disagree. The pre-computation involves also getting the
(certified or otherwise authenticated) public keys. This is just the same
as the initial communication (and computation) of any other scheme for
long-lived keys.

> This precomputation
> can follow usage patterns of the machine, or some administrative
> action.
>

Agree with this statement. The clogging attack results from the fact the
attacker is not limited to your _usual_ patterns. You either risk denying
service to unusual patterns or getting clogged. In any case this is an
administration problem one has to address and warn the implementors from.

I"ll try to respond on your other points later.

Best, Amir

References:

Re: Clogging attacks on SKIP

From: Ashar.Aziz@eng.sun.com (Ashar Aziz)

Prev by Date: Re[2]: key management
Next by Date: Re: Diffie-Hellman (note by Hugo)
Prev by thread: Re: Clogging attacks on SKIP
Next by thread: Re: Clogging attacks on SKIP
Index(es):
- Main
- Thread