[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
Chris> I've had some thoughts about this. Consider that rather than
Chris> generate a 'get out of puzzle free' token that the ISAKMP
Chris> peers negotiate a shared secret authentication key.
Chris> Subsequent negotiations could use this key in place of the
Chris> much more expensive PKI base authentication. These temporary
Chris> authentication keys could be cached and wouldn't need to be
Chris> held for every possible peer.
Chris> If there's a vulnerability here, then the token could be used
Chris> to authenticate the initial ISAKMP datagram(s) only and be
Chris> used in addition to the current authentication mechanisms.
Chris> This doesn't solve the initial connection issue, but it would
Chris> help protect established VPNs at rekeying time against attacks
Chris> on their PK/memory resources.
Interesting notion, but I am worried about the initial connection
aspect as well. Consider the monday morning effect, or tunnel
re-establishment after a security gateway reboot.
paul
References: