[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
>>>>> "Anderson" == Anderson <neo@silkroad.com> writes:
Anderson> Thinking about future ISAKMP denial of service attacks on
Anderson> UDP has lead me to these system-centric risk reduction
Anderson> architectural observations (sorry for the mouthful ...)
Anderson> (1) ISAKMP is most vulnerable to DoS attack during the
Anderson> initial set up.
True.
Anderson> (2) Risk is reduced by minimizing set-up time and
Anderson> maximizing non-setup processing (time).
No. Time is not of the essence. The essential issue is the resources
consumed before good requests can be distinguished from bad ones. The
most significant resource is CPU power; the secondary one is state
memory.
Anderson> (3) Therefore, one trade-off goal in architecture and vs
Anderson> risk could be based on creating an architecture which
Anderson> minimizes ISAKMP set-up(s).
Or rather, the consumption of the resources I mentioned.
Anderson> (4) Establishing long standing tunnels with ISAKMP (tunnel
Anderson> mode) vs. shorter duration host-to-host exchanges
Anderson> (transparent mode) may significantly reduce ISAKMP DoS
Anderson> risk.
Not necessarily. I assume you mean "transport" rather than
"transparent" but in any case the SAs can live longer than the
TCP connections protected by them.
In any case, keeping the rate of legit requests low doesn't
necessarily help. It's the rejection rate of illegit requests that
needs to be improved. Also, lengthening the life of SAs may introduce
other issues (key exposure). And while it helps reduce the setup rate
due to rekeying, it does nothing to help the SA setup rate for the
initial SA establishment.
paul
Follow-Ups:
References: