[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley

To: pau@watson.ibm.com
Subject: Re: A pothole in ISAKMP/Oakley
From: ho@earth.hpc.org (Hilarie Orman)
Date: Tue, 15 Apr 1997 15:41:03 -0400
Cc: ipsec@tis.com, canetti@watson.ibm.com, Dan.McDonald@Eng.sun.com
In-reply-to: Yourmessage <9704151927.AA22368@secpwr.watson.ibm.com>
Sender: owner-ipsec@ex.tis.com

> You are right. But since Quick Mode Exchange is proteted
> (encrypted and authenticated) by the phase 1 ISAKMP SA,
> clogging attack should not be a big problem.

Maybe we are talking about different attacks.  The requirement for AH
and ESP SPI generation was there before there was key management.  We
should ask why.  I'd guess that the worry has been that an attacker
could predict the SPI sequence and insert bogus messages with valid
SPI's into the traffic stream, forcing the recipient to go through at
least the trouble of checking the hash if not also decrypting.

Hilarie

Follow-Ups:

Re: A pothole in ISAKMP/Oakley

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Re: A pothole in ISAKMP/Oakley

From: Norman Shulman <norm@border.com>

References:

Re: A pothole in ISAKMP/Oakley

From: pau@watson.ibm.com

Prev by Date: Re: A pothole in ISAKMP/Oakley
Next by Date: Re: Slicing and Dicing in new-esp
Prev by thread: Re: A pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread