[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 1 KB lifetime



>>>>> "Sankar" == Sankar Ramamoorthi <Sankar@vpnet.com> writes:

 >> ...
 >> Bottom line is that IKE/IPSEC isn't fully self-stabilizing; it
 >> doesn't recover (in short time) from a situation where one side
 >> has SAs and the other does not -- however that situation may have
 >> come about.
 >> 
 >> There's a conflict between self-stabilization and robustness in
 >> the face of DOS attack, unfortunately. ...
 >>  The safest answer is "do nothing" but that is also exactly the
 >> design choice for non-self-stabilitization.

 Sankar> Are you saying that a design choice for
 Sankar> non-self-stabilization is acceptable? 

No (though IPSec isn't the only standard protocol that suffers from
this, nor the one to suffer the most).  What I meant to say is that
this is the design choice that has been made, whether with the full
realization of what this means or not is unclear.

 Sankar> Since as you mention
 Sankar> before that the situation that one side has SA and another
 Sankar> side does can come about in many ways, isn't
 Sankar> self-stabilization all the more important?

Sure.  In fact, I'd say that self-stabilization is always important
and always should be a design goal for any protocol, not to be set
aside except for very weighty reasons.

 Sankar> Why is "do nothing" a safe choice for the receiver of the bad
 Sankar> IPSec packet (IPSec packet without SA)? How does sending a
 Sankar> 'invalid spi' notify to the sender of the ipsec packet affect
 Sankar> the safety of the receiver?  Isn't sending a notify better
 Sankar> than doing nothing?

Not necessarily.  Sending a notify consumes resources that are not
consumed by simply discarding the offending packet.  Since DOS attacks 
basically are attempts to get the receiver to consume lots of
resources, the less resources you use in dealing with invalid packets
the safer you are from DOS attacks.

 >> From the sender (of the stale ipsec packet) point of view it may
 Sankar> be useful to receive a notify immediately - if it can be
 Sankar> authenticated in some way than it can even act on it
 Sankar> immediately.

True, but of course that's a big "if".  Another SA problem scenario is 
where both sides have SAs, but they don't match.  If that is true for
the Phase 1 SAs as well, you cannot authenticate the notifies even if
they were sent.  And you are wise not to accept them unauthenticated
because then you have a really BIG DOS attack opportunity!

	paul


References: