Re: some issues about IPSec

["David W. Faucher" <dfaucher@lucent.com>]

A different approach would be to transmit an Informational message that would
disrupt a current exchange. This would only require the ability to monitor for an

ISAKMP/Oakley exchange and insert the Informational message (created from
the monitored data) at the appopriate time. In other words, no need to reveal
your
IP address.

Theodore Y. Ts'o wrote:

>    Date: Mon, 26 Jan 1998 12:41:57 -0800
>    From: Daniel Harkins <dharkins@cisco.com>
>
>      Since the responder won't begin exponentiation until receipt of the 2nd
>    message (which contains his cookie which he passed in the 1st) he at least
>    knows there's a peer at a particular IP address which "speaks" ISAKMP.
>    Therefore the SGW won't do the actual exponentiation if barraged with
>    hundreds of ISAKMP packets with spoofed source addresses. The attacker
>    has to receive the 1st response from the SGW and reply properly to get
>    the SGW to exponentiate. It might be easy to track down such an attacker
>    in this situation.
>
> Just to amplify a particular point which Dan made here.  The key here is
> that it's much harder to do a denial of service attack without revealing
> your IP address, which presumably would make it much easier to trace
> things back to you.  At this point, one can use out-of-band methods of
> security enforcement.  :-)
>
>                                                 - Ted



--
David W. Faucher
Lucent Technologies - Bell Labs
dfaucher@lucent.com
(515) 747-8617

---

References:

• Re: some issues about IPSec
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Re: some issues about IPSec
• Next by Date: ISAKMP alignment question
• Prev by thread: Re: some issues about IPSec
• Next by thread: Re: some issues about IPSec
• Index(es):
  • Main
  • Thread