[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP: Issues

To: "Derrell D. Piper" <ddp@network-alchemy.com>
Subject: Re: ISAKMP: Issues
From: Matt Thomas <matt@ljo.dec.com>
Date: Sat, 28 Feb 1998 07:32:37 -0500
Cc: wdm@epoch.ncsc.mil, ipsec@tis.com
In-Reply-To: <199802280324.WAA24005@relay.hq.tis.com>
References: <Your message of "Fri, 27 Feb 1998 15:17:30 PST." <3.0.32.19980227151729.009f0ac0@192.43.161.2>
Sender: owner-ipsec@ex.tis.com

At 10:26 PM 2/27/98 , Derrell D. Piper wrote:
>>What is the argument for trashing the message?  Leave it unless there is a
>>strong such argument.
>
>It seems to me that if an Key Negotiation protocol that purports to be
>providing enhanced security receives a malformed message (i.e. the code on the
>other end "got it wrong"), that the prudent thing to do is to refuse the
>negotiation under the assumption that the other end probably got other things
>wrong too.  If you can't figure out the size of the message you're sending,
>how are you ever going to parse the proposals?  :-)

I think you need to be more careful than that (my vote is to discard the 
message).  I assume that malformed packets are being sent by a malicious 
entity who doesn't want my key negotiation to succeed.  So I drop them and 
hope to receive a good one in the future.
 
-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

References:

Re: ISAKMP: Issues

From: "Derrell D. Piper" <ddp@network-alchemy.com>

Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
Next by Date: RE: IPSEC tunnels and Mobile IP
Prev by thread: Re: ISAKMP: Issues
Next by thread: Re: ISAKMP Draft: Notifications about Phase II
Index(es):
- Main
- Thread