[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
Date: Tue, 01 Feb 2000 14:03:12 +0200
CC: Joern Sierwald <joern.sierwald@F-Secure.com>, ipsec@lists.tislabs.com
Organization: F-Secure Oyj
References: <319A1C5F94C8D11192DE00805FBBADDF0113B6AC@exchange>
Sender: owner-ipsec@lists.tislabs.com

Andrew Krywaniuk wrote:
> 
> Joern:
> 
> Question is, why wasn't this build into ISAKMP? The normal ISAKMP
> cookies could have been exchanged before sending the SA payload.
> Would have taken an extra round-trip, of course.
> 
> Andrew:
> 
> I don't know. Maybe we need to go back and scavenge a few ideas from
> Photuris. Although Photuris does seem to be vulnerable to modular
> exponentiation attacks (which is typical of identity protection exchanges),
> the cookie request exchange is similar to what you proposed.

One reason I formed the concept of "state payload" is that with it a responder
could protect itself from some DoS attacks with minimal changes to ISAKMP.
It does not protect from all attacks. It can consume a significant amount
of space, making ISAKMP packets in UDP cumbersome. If the contents of the
state payload are specified incorrectly, security could be broken.

However, it does not even have to be used unless necessary. And implementations
that don't want it, need only understand enough to send it back in the next message.

> Ari's comment about using public-key crypto to sign the info seems like
> overkill. Cookies can be encrypted based on local secret info using a fast
> algorithm. (Why sacrifice CPU consumption to save memory consumption?)

I didn't state public-key crypto.. read again.

> In Photuris, the responder generates the SA proposal list. Therefore, he
> does not need to keep a state (since the proposal list is presumably static
> or, at the very least, easy to regenerate from policy).

Sounds like this leaks security information from responder.. My point being
that I'd rather not start respecifying the whole protocol again. Only when
necessary should there be changes, but IF necessary, the changes should be done.

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: Re: Bruce Schneier on IPsec
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Index(es):
- Main
- Thread