[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP DELETE payload
Yes, you are right. Does the draft also define a standard way
to authenticate the payload, like a keyed-hash or signature
should be computed over certain parts of the msg (or payload) ?
Pau-Chen
>
> Pau-Chen,
>
> > Should the DELETE payload be authenticated using an ISAKMP SA
> > (or pre-shared key) ? Otherwise there seems to be an easy
> > denial-of-service attack.
>
> The second paragraph of section 5.13 of ISAKMP-06 states ....
>
> "Deletion of Security Associations MUST always be performed
> under the protection of an ISAKMP SA."
>
> Unless the ISAKMP SA is established without authentication-related SA
> attributes, I think we are protected from the DOS attack.
>
> Please correct me if I'm wrong.
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * Douglas Maughan Voice: (301) 688-0847 *
> * Technical Director, R23 Fax: (301) 688-0255 *
> * National Security Agency E-mail: wdmaugh@tycho.ncsc.mil *
> * 9800 Savage Road maughan@cs.umbc.edu *
> * Fort Meade, MD. 20755-6000 *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
>