[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 KB lifetime

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: Re: Phase 1 KB lifetime
From: Ben McCann <bmccann@indusriver.com>
Date: Thu, 20 Jan 2000 09:32:05 -0500
CC: ipsec@lists.tislabs.com
References: <319A1C5F94C8D11192DE00805FBBADDF0110A428@exchange>
Sender: owner-ipsec@lists.tislabs.com

Andrew:

> I believe that sending a notify invalid spi is appropriate because it does
> not consume enough CPU time to allow a DoS attack. If you're really
> concerned about DoS, you can send the notify only on the first occurrence
> and then ignore all subsequent bad packets... but IMHO protecting against
> DoS attackers who have large amounts of CPU power is, in general, a losing
> proposition.
> 

Sorry to beat the dead horse, but two different documents define the usage
of INVALID-SPI and neither definition lists replying to invalid IPSEC packets.
(Those documents are RFC 2408 and draft-ietf-ipsec-notifymsg-02.txt).
Are the generally accepted implementation practices different from the
requirements/recommendations of those documents?

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111

References:

RE: Phase 1 KB lifetime

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: RE: Notify Invalid Spi/Cookie (was RE: Phase 1 KB lifetime)
Prev by thread: RE: Phase 1 KB lifetime
Next by thread: RE: Phase 1 KB lifetime
Index(es):
- Main
- Thread