[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some issues about IPSec



   Date: Mon, 26 Jan 1998 12:41:57 -0800
   From: Daniel Harkins <dharkins@cisco.com>

     Since the responder won't begin exponentiation until receipt of the 2nd 
   message (which contains his cookie which he passed in the 1st) he at least 
   knows there's a peer at a particular IP address which "speaks" ISAKMP. 
   Therefore the SGW won't do the actual exponentiation if barraged with 
   hundreds of ISAKMP packets with spoofed source addresses. The attacker 
   has to receive the 1st response from the SGW and reply properly to get
   the SGW to exponentiate. It might be easy to track down such an attacker 
   in this situation.

Just to amplify a particular point which Dan made here.  The key here is
that it's much harder to do a denial of service attack without revealing
your IP address, which presumably would make it much easier to trace
things back to you.  At this point, one can use out-of-band methods of
security enforcement.  :-)

						- Ted


Follow-Ups: References: