[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
Chris> Once that initial authentication has been made, a secret
Chris> point-to-point authentication key could be used to provide a
Chris> cheap way of authenticating subsequent ISAKMP exchanges, from,
Chris> the initial packet on. If the pre-existing authentication is
Chris> still required then this secret key isn't particularly
Chris> sensitive and would not require particular protection
Chris> (relative to, eg, ESP keys). Given this, it could be possible
Chris> to cache these for a reasonable amount of time. Depending on
Chris> the device in question this would cope with Monday morning or
Chris> reboot situations.
Not reboot, unless you assume that these things go into NVram, which
is not all that likely. That tends to be a very scarce resource.
Chris> It won't help if we all start using IPSEC in place of SSL to
Chris> talk to web servers (is this ever likely?), but it would help
Chris> with VPNs.
For most of us, the web server case is indeed not that likely for now,
but John Gilmore certainly is pushing hard that way.
paul
References: