[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP DELETE payload
Pau-Chen,
> Should the DELETE payload be authenticated using an ISAKMP SA
> (or pre-shared key) ? Otherwise there seems to be an easy
> denial-of-service attack.
The second paragraph of section 5.13 of ISAKMP-06 states ....
"Deletion of Security Associations MUST always be performed
under the protection of an ISAKMP SA."
Unless the ISAKMP SA is established without authentication-related SA
attributes, I think we are protected from the DOS attack.
Please correct me if I'm wrong.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan Voice: (301) 688-0847 *
* Technical Director, R23 Fax: (301) 688-0255 *
* National Security Agency E-mail: wdmaugh@tycho.ncsc.mil *
* 9800 Savage Road maughan@cs.umbc.edu *
* Fort Meade, MD. 20755-6000 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *