[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE transport (was INITIAL-CONTACT issues)

To: danmcd@Eng.Sun.Com
Subject: Re: IKE transport (was INITIAL-CONTACT issues)
From: Paul Koning <pkoning@xedia.com>
Date: Fri, 14 May 1999 16:19:49 -0400
Cc: ipsec@lists.tislabs.com
References: <D899E9E27BE9D211842200805FA67B43016E67@vpnet.com><199905132006.NAA22876@kebe.Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Dan" == Dan McDonald <danmcd@Eng.Sun.Com> writes:

 Dan> There is nothing to stop malicious injections of RST packets
 Dan> into a TCP stream.  This is the biggest reason to not use TCP
 Dan> for IKE.  You'll never get past the 3-way handshake if you have
 Dan> a malicious eavesdropper.

You're talking about an active attack here, not an eavesdropper
(passive attacker).  And this is a denial of service attack.  Sure,
you can prevent the TCP connection from establishing.  Likewise, I
believe, you can prevent an IKE handshake from completing by inserting 
suitable packets, or deleting others.

I wouldn't think that anyone claims IKE to be resistant to denial of
service attacks.  Are you saying it is?

	paul

Follow-Ups:

Re: IKE transport (was INITIAL-CONTACT issues)

From: Dan McDonald <danmcd@Eng.Sun.Com>

References:

RE: IKE transport (was INITIAL-CONTACT issues)

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Re: IKE transport (was INITIAL-CONTACT issues)

From: Dan McDonald <danmcd@Eng.Sun.Com>

Prev by Date: RE: draft-ietf-ipsec-policy-schema-00.txt
Next by Date: Re: IKE transport (was INITIAL-CONTACT issues)
Prev by thread: Re: IKE transport (was INITIAL-CONTACT issues)
Next by thread: Re: IKE transport (was INITIAL-CONTACT issues)
Index(es):
- Main
- Thread