[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: resistance to swamping attacks.
> From: Steven Bellovin <smb@research.att.com>
>
> > From touch@isi.edu
>
> But then you're authenicating the signature, but not the packet
> itself, no?
>
> In that case, I can replay a signed connection-establishment request
> with random source addrs.
>
> Depends on what you sign. In my note, I said ``in principle''....
> From touch@ISI.EDU Fri Sep 20 12:32:53 1996
> From: touch@ISI.EDU
>
> So, it might be the case that, in order to avoid swamping attacks,
> we need two kinds of authentication:
>
> - whole packet (to keep converstations secure)
>
> - header only (for fast processing to check for
> swamping)
>
> If so, do we need another kind of header?
> (IP-AH specs only the first)
Except that, as a colleague here pointed out, checking authentication
of SYNs costs much more than keeping the half-open connection block.
That's the argument for *not* needing a header-only authenticator.
Joe
----------------------------------------------------------------------
Joe Touch - touch@isi.edu http://www.isi.edu/~touch/
ISI / Project Leader, ATOMIC-2, LSAM http://www.isi.edu/atomic2/
USC / Research Assistant Prof. http://www.isi.edu/lsam/