[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing



> As I stated in my suggestion, an Initiator must not reply to 
> any challenge it gets back, only challenges that do not take too much
computational 
> resources (The threshold should be configurable on the initiator).
> There is a trade-off between the level of security that the 
> responder gets and the burden on the initiator.

So the initiator needs to tell the responder how difficult a challenge it is
prepared to accept and the responder needs to decide whether this is
acceptable or not.

Given the range of processing resource available to network devices and the
rate of technological advance, it would be hard to pick the difficulty
level.  Also consider that the attacker could hand off this processing to a
device(s) with far greater CPU resource, eg a compromised server.

Now the responder could raise the difficulty level until it could keep up
with the request level.  Still, I think the benefits of this protection need
to be considered against the perceived level of the threat, and the
disruption and complexity added to the protocol - particularly relative to
the alternative methods, eg random drop.

Chris


Follow-Ups: