[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DELETE payload

To: pau@watson.ibm.com, wdm@epoch.ncsc.mil
Subject: Re: ISAKMP DELETE payload
From: pau@watson.ibm.com
Date: Tue, 3 Dec 1996 14:45:54 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com


Yes, you are right. Does the draft also define a standard way
to authenticate the payload, like a keyed-hash or signature
should be computed over certain parts of the msg (or payload) ?

Pau-Chen

> 
> Pau-Chen,
> 
> > Should the DELETE payload be authenticated using an ISAKMP SA
> > (or pre-shared key) ? Otherwise there seems to be an easy
> > denial-of-service attack.
> 
> The second paragraph of section 5.13 of ISAKMP-06 states ....
> 
> 	"Deletion of Security Associations MUST always be performed
> 	under the protection of an ISAKMP SA."
> 
> Unless the ISAKMP SA is established without authentication-related SA
> attributes, I think we are protected from the DOS attack.
> 
> Please correct me if I'm wrong.
> 
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * Douglas Maughan                Voice:  (301) 688-0847           *
> * Technical Director, R23        Fax:    (301) 688-0255           *
> * National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
> * 9800 Savage Road                       maughan@cs.umbc.edu      *
> * Fort Meade, MD. 20755-6000                                      *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> 
>

Prev by Date: Re: ISAKMP DELETE payload
Next by Date: WG Last Call: ISAKMP draft set to Proposed Standard
Prev by thread: Re: ISAKMP DELETE payload
Next by thread: Re: ISAKMP DELETE payload
Index(es):
- Main
- Thread