Re: On a hybrid authentication mode for IKE

[Tamir Zegman <zegman@checkpoint.com>]

Kanta Matsuura wrote:

> Dear friends,
> I'd like to make a comment on
> draft-ietf-ipsec-isakmp-hybrid-auth-02.txt
> (A Hybrid Authentication Mode for IKE).
> In the 6th section, the document says that
> protection against DoS is not provided.
> My comment is that, since the Hybrid Authentication Mode
> uses Signature Mode of IKE first,
> a modified mode of it (draft-matsuura-sign-mode-00.txt)
> would be a better solution.
> The idea is the use of intermediate random fresh value
> as an additional input to the HASH payload in the ack message
> from the client; if the client (maybe a DoS attacker) does not
> follow the protocol (i.e. skip the verification of the responder's
> signature), he/she cannot produce the correct HASH, which is
> efficiently (<-- hashing is inexpensive computation)
>  detected by the responder.
>
> Thanks,
>

The paragraph you mentioned talked about a different DoS attack -
an attack that causes the the user account to be revoked on the RADIUS
server.
Your paper, if I understand correctly, talks about preventing DoS
attacks during Phase1.

---

Follow-Ups:

• Re: On a hybrid authentication mode for IKE
• From: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>

References:

• On a hybrid authentication mode for IKE
• From: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>

---

• Prev by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
• Next by Date: Re: Getting the features chart going
• Prev by thread: On a hybrid authentication mode for IKE
• Next by thread: Re: On a hybrid authentication mode for IKE
• Index(es):
  • Main
  • Thread