[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

To: CTrobridge@baltimore.com
Subject: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
From: Paul Koning <pkoning@xedia.com>
Date: Tue, 29 Feb 2000 10:39:28 -0500
Cc: ipsec@lists.tislabs.com
References: <1FD60AE4DB6CD2118C420008C74C27B81D04FD@baltimore.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:

 Chris> I've had some thoughts about this.  Consider that rather than
 Chris> generate a 'get out of puzzle free' token that the ISAKMP
 Chris> peers negotiate a shared secret authentication key.
 Chris> Subsequent negotiations could use this key in place of the
 Chris> much more expensive PKI base authentication.  These temporary
 Chris> authentication keys could be cached and wouldn't need to be
 Chris> held for every possible peer.

 Chris> If there's a vulnerability here, then the token could be used
 Chris> to authenticate the initial ISAKMP datagram(s) only and be
 Chris> used in addition to the current authentication mechanisms.

 Chris> This doesn't solve the initial connection issue, but it would
 Chris> help protect established VPNs at rekeying time against attacks
 Chris> on their PK/memory resources.

Interesting notion, but I am worried about the initial connection
aspect as well.  Consider the monday morning effect, or tunnel
re-establishment after a security gateway reboot.

	paul

References:

RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: RE: Use of Encryption in Heartbeat Packets
Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Prev by thread: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by thread: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Index(es):
- Main
- Thread