[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Phase 1 KB lifetime
>>>>> "Sankar" == Sankar Ramamoorthi <Sankar@vpnet.com> writes:
>> ...
>> Bottom line is that IKE/IPSEC isn't fully self-stabilizing; it
>> doesn't recover (in short time) from a situation where one side
>> has SAs and the other does not -- however that situation may have
>> come about.
>>
>> There's a conflict between self-stabilization and robustness in
>> the face of DOS attack, unfortunately. ...
>> The safest answer is "do nothing" but that is also exactly the
>> design choice for non-self-stabilitization.
Sankar> Are you saying that a design choice for
Sankar> non-self-stabilization is acceptable?
No (though IPSec isn't the only standard protocol that suffers from
this, nor the one to suffer the most). What I meant to say is that
this is the design choice that has been made, whether with the full
realization of what this means or not is unclear.
Sankar> Since as you mention
Sankar> before that the situation that one side has SA and another
Sankar> side does can come about in many ways, isn't
Sankar> self-stabilization all the more important?
Sure. In fact, I'd say that self-stabilization is always important
and always should be a design goal for any protocol, not to be set
aside except for very weighty reasons.
Sankar> Why is "do nothing" a safe choice for the receiver of the bad
Sankar> IPSec packet (IPSec packet without SA)? How does sending a
Sankar> 'invalid spi' notify to the sender of the ipsec packet affect
Sankar> the safety of the receiver? Isn't sending a notify better
Sankar> than doing nothing?
Not necessarily. Sending a notify consumes resources that are not
consumed by simply discarding the offending packet. Since DOS attacks
basically are attempts to get the receiver to consume lots of
resources, the less resources you use in dealing with invalid packets
the safer you are from DOS attacks.
>> From the sender (of the stale ipsec packet) point of view it may
Sankar> be useful to receive a notify immediately - if it can be
Sankar> authenticated in some way than it can even act on it
Sankar> immediately.
True, but of course that's a big "if". Another SA problem scenario is
where both sides have SAs, but they don't match. If that is true for
the Phase 1 SAs as well, you cannot authenticate the notifies even if
they were sent. And you are wise not to accept them unauthenticated
because then you have a really BIG DOS attack opportunity!
paul
References: