RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

[Paul Koning <pkoning@xedia.com>]

>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:

 Chris> Once that initial authentication has been made, a secret
 Chris> point-to-point authentication key could be used to provide a
 Chris> cheap way of authenticating subsequent ISAKMP exchanges, from,
 Chris> the initial packet on.  If the pre-existing authentication is
 Chris> still required then this secret key isn't particularly
 Chris> sensitive and would not require particular protection
 Chris> (relative to, eg, ESP keys).  Given this, it could be possible
 Chris> to cache these for a reasonable amount of time.  Depending on
 Chris> the device in question this would cope with Monday morning or
 Chris> reboot situations.

Not reboot, unless you assume that these things go into NVram, which
is not all that likely.  That tends to be a very scarce resource.

 Chris> It won't help if we all start using IPSEC in place of SSL to
 Chris> talk to web servers (is this ever likely?), but it would help
 Chris> with VPNs.

For most of us, the web server case is indeed not that likely for now,
but John Gilmore certainly is pushing hard that way.

	paul

---

References:

• RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: Chris Trobridge <CTrobridge@baltimore.com>

---

• Prev by Date: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Prev by thread: RE: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Index(es):
  • Main
  • Thread