[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some issues about IPSec
Date: Mon, 26 Jan 1998 12:41:57 -0800
From: Daniel Harkins <dharkins@cisco.com>
Since the responder won't begin exponentiation until receipt of the 2nd
message (which contains his cookie which he passed in the 1st) he at least
knows there's a peer at a particular IP address which "speaks" ISAKMP.
Therefore the SGW won't do the actual exponentiation if barraged with
hundreds of ISAKMP packets with spoofed source addresses. The attacker
has to receive the 1st response from the SGW and reply properly to get
the SGW to exponentiate. It might be easy to track down such an attacker
in this situation.
Just to amplify a particular point which Dan made here. The key here is
that it's much harder to do a denial of service attack without revealing
your IP address, which presumably would make it much easier to trace
things back to you. At this point, one can use out-of-band methods of
security enforcement. :-)
- Ted
Follow-Ups:
References: