[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
>>>>> "Anderson" == Anderson <neo@silkroad.com> writes:
Anderson> WG Members:
Anderson> We are hearing more and more concerns in the enterprise community
Anderson> that ISAKMP will be vulnerable to UDP denial of service attacks
Anderson> in the future. This is a widely known and serious flaw, IMHO.
Yes, it is widely known. It is not a serious flaw, it is a fact of life.
Switching to TCP does nothing. If you naively implement ISAKMP on top
of TCP, then you must include TCP SYN spoof protection, which is much more
difficult to deploy and hard to provide different levels of protection for,
say, HTTP servers vs ISAKMP daemons.
If you look at TCP SYN spoof protection, you'll discover that it involves
the use of cookies as non-predictable sequence numbers, and thus is
identically equivalent to what ISAKMP has.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson |For a better connected world,where data flows faster<tm>
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
mailto:mcr@sandelman.ottawa.on.ca mailto:mcr@solidum.com
Follow-Ups:
References: