[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DELETE payload

To: pau@watson.ibm.com
Subject: Re: ISAKMP DELETE payload
From: wdm@epoch.ncsc.mil (W. Douglas Maughan)
Date: Tue, 3 Dec 96 12:41:56 EST
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Pau-Chen,

> Should the DELETE payload be authenticated using an ISAKMP SA
> (or pre-shared key) ? Otherwise there seems to be an easy
> denial-of-service attack.

The second paragraph of section 5.13 of ISAKMP-06 states ....

	"Deletion of Security Associations MUST always be performed
	under the protection of an ISAKMP SA."

Unless the ISAKMP SA is established without authentication-related SA
attributes, I think we are protected from the DOS attack.

Please correct me if I'm wrong.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan                Voice:  (301) 688-0847           *
* Technical Director, R23        Fax:    (301) 688-0255           *
* National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
* 9800 Savage Road                       maughan@cs.umbc.edu      *
* Fort Meade, MD. 20755-6000                                      *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Prev by Date: ISAKMP DELETE payload
Next by Date: Re: ISAKMP DELETE payload
Prev by thread: ISAKMP DELETE payload
Next by thread: Re: ISAKMP DELETE payload
Index(es):
- Main
- Thread