[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

To: ipsec@lists.tislabs.com
Subject: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
From: "Mr. Anderson" <neo@silkroad.com>
Date: Tue, 29 Feb 100 08:56:04 -0500 (EST)
Sender: owner-ipsec@lists.tislabs.com


Thinking about future ISAKMP denial of service attacks
on UDP has lead me to these system-centric risk reduction
architectural observations  (sorry for the mouthful ...)

(1)  ISAKMP is most vulnerable to DoS attack during the
     initial set up.

(2)  Risk is reduced by minimizing set-up time and maximizing
     non-setup processing (time).   

(3)  Therefore, one trade-off goal in architecture and
     vs risk could be based on creating an architecture
     which minimizes ISAKMP set-up(s).

 
(4)  Establishing long standing tunnels with ISAKMP  
     (tunnel mode) vs. shorter duration host-to-host
     exchanges (transparent mode) may significantly 
     reduce ISAKMP DoS risk.


This does imply that the complexity of 'trying to do it
all' with IPSEC/ISAKMP is weakening the integrity of
the system architecture (mentioned in the other thread
on 'IPSEC complexity').

Controversy may continue in the 'complexity vs. robustness'
debate, and it is possible that organizations will migrate
to tunnel mode centric architectures to reduce DoS risk.


Finest Regards,
                      Neo

    
     
     






---------------------------
The Y2K Feature:

A way of remaining in the 20th century for a little
longer ..... 19 - 100 ... a feature, not a bug :)

Follow-Ups:

Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Bruce Schneier on IPsec
Prev by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Index(es):
- Main
- Thread