[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: combining SA proposals in IKE [was: Some questions]

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: combining SA proposals in IKE [was: Some questions]
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Mon, 18 May 1998 12:11:54 -0400
Cc: ipsec@tis.com
In-Reply-To: Your message of "Sun, 17 May 1998 16:11:03 PDT." <199805172311.QAA09399@greatdane.cisco.com>
Sender: owner-ipsec@ex.tis.com

> I'm not so sure I see a need for requiring that the SPIs be unpredictable.

THis isn't an IKE concern, it's an overall *system*-level concern.

AH/ESP SPI's should be unpredictable so that off-path
clogging/denial-of-service attacks aren't ridiculously easy.. it's
much more efficient to discard a packet with a unknown SPI than to
verify the MAC on one with a valid SPI...

				- Bill

References:

Re: combining SA proposals in IKE [was: Some questions]

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Authentication Only Bit
Next by Date: Policy question
Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
Index(es):
- Main
- Thread