Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

[Tamir Zegman <zegman@checkpoint.com>]

The following paper describes a similar approach.
http://www.rsasecurity.com/rsalabs/staff/ajuels/papers/clientpuzzles.pdf



Chris Trobridge wrote:

> > As I stated in my suggestion, an Initiator must not reply to
> > any challenge it gets back, only challenges that do not take too much
> computational
> > resources (The threshold should be configurable on the initiator).
> > There is a trade-off between the level of security that the
> > responder gets and the burden on the initiator.
>
> So the initiator needs to tell the responder how difficult a challenge it is
> prepared to accept and the responder needs to decide whether this is
> acceptable or not.
>
> Given the range of processing resource available to network devices and the
> rate of technological advance, it would be hard to pick the difficulty
> level.  Also consider that the attacker could hand off this processing to a
> device(s) with far greater CPU resource, eg a compromised server.
>
> Now the responder could raise the difficulty level until it could keep up
> with the request level.  Still, I think the benefits of this protection need
> to be considered against the perceived level of the threat, and the
> disruption and complexity added to the protocol - particularly relative to
> the alternative methods, eg random drop.
>
> Chris

---

Follow-Ups:

• Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: Paul Koning <pkoning@xedia.com>

References:

• RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: Chris Trobridge <CTrobridge@baltimore.com>

---

• Prev by Date: Re: More than one VPN-Connection from a gateway
• Next by Date: Re: DNSSEC and IPsec
• Prev by thread: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Index(es):
  • Main
  • Thread