[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
I have a concern about this notion of using puzzles as a way of
addressing the DoS problem.
It seems that there is an implied assumption in this approach: that
the client is connecting to only one, or at most only a few, servers.
In that case, the puzzles approach seems plausible because the client
can afford the cost of solving a few puzzles as part of connection
setup.
On the other hand, what if your "client" is the hub of a hub & spoke
topology VPN, and is initiating many IKE requests concurrently? We
already have seen some topologies of this kind, where scaling is a
concern. The cost of regular IKE exchanges (two DH operations plus
typically some public key stuff) is already high enough to generate an
interest in PKI accelerators. If the initiator is trying to initiate
several hundred IKE exchanges, and in the process is hammered with
several hundred puzzles, life is suddenly very unpleasant indeed.
Note that the puzzles proposed so far aren't things you can accelerate
with available "crypto hardware assist" devices.
Let's be sure to keep this scenario in mind when analyzing proposed
approaches.
paul
Follow-Ups:
References: