[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
> Chris> This doesn't solve the initial connection issue, but it would
> Chris> help protect established VPNs at rekeying time against attacks
> Chris> on their PK/memory resources.
>
> Interesting notion, but I am worried about the initial connection
> aspect as well. Consider the monday morning effect, or tunnel
> re-establishment after a security gateway reboot.
>
> paul
I think it's pretty much accepted that DOS can't be prevented, so it's more
a question of limiting it as best one can.
There is a problem with the initial authentication. Random packet dropping
and a puzzle based slowing down mechanism have been discussed as ways of
limiting an attackers ability to overwhelm a host though ISAKMP.
Once that initial authentication has been made, a secret point-to-point
authentication key could be used to provide a cheap way of authenticating
subsequent ISAKMP exchanges, from, the initial packet on. If the
pre-existing authentication is still required then this secret key isn't
particularly sensitive and would not require particular protection (relative
to, eg, ESP keys). Given this, it could be possible to cache these for a
reasonable amount of time. Depending on the device in question this would
cope with Monday morning or reboot situations.
It won't help if we all start using IPSEC in place of SSL to talk to web
servers (is this ever likely?), but it would help with VPNs.
Chris
Follow-Ups: