[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: resistance to swamping attacks.

To: touch@isi.edu, smb@research.att.com
Subject: Re: resistance to swamping attacks.
From: touch@isi.edu
Date: Fri, 20 Sep 1996 13:52:17 -0700
Cc: sommerfeld@apollo.hp.com, kim@morningstar.com, ipsec@TIS.COM
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Posted-Date: Fri, 20 Sep 1996 13:52:17 -0700
Sender: ipsec-approval@neptune.tis.com

> From: Steven Bellovin <smb@research.att.com>
> 
> 	 > From touch@isi.edu
> 	 
> 	 But then you're authenicating the signature, but not the packet
> 	 itself, no?
> 	 
> 	 In that case, I can replay a signed connection-establishment request
> 	 with random source addrs.
> 
> Depends on what you sign.  In my note, I said ``in principle''....

> From touch@ISI.EDU Fri Sep 20 12:32:53 1996
> From: touch@ISI.EDU
> 
> So, it might be the case that, in order to avoid swamping attacks,
> we need two kinds of authentication:
> 
> 	- whole packet (to keep converstations secure)
> 
> 	- header only (for fast processing to check for
> 		swamping)
> 
> If so, do we need another kind of header?
> (IP-AH specs only the first)

Except that, as a colleague here pointed out, checking authentication
of SYNs costs much more than keeping the half-open connection block.

That's the argument for *not* needing a header-only authenticator.

Joe
----------------------------------------------------------------------
Joe Touch - touch@isi.edu		    http://www.isi.edu/~touch/
ISI / Project Leader, ATOMIC-2, LSAM       http://www.isi.edu/atomic2/
USC / Research Assistant Prof.                http://www.isi.edu/lsam/

Prev by Date: NOTICE: DSS Profile for X.509 Certificates to be deleted.
Next by Date: Re: swamping security
Prev by thread: Re: resistance to swamping attacks.
Next by thread: Re: resistance to swamping attacks.
Index(es):
- Main
- Thread