Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

[Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>]

Paul,

Since I also think CPU protection is important,
http://www.ietf.org/internet-drafts/draft-matsuura-sign-mode-01.txt
improves the DoS-resistance of IKE
in terms not only of memory resource but also of CPU resource.
My opinion is that CPU is more important
in a sense that memory exhaustion can be numerically evaluated
(please have a look at

K. Matsuura and H. Imai. ``Resolution of ISAKMP/Oakley Key-Agreement
 Protocol Resistant against Denial-of-Service Attack''. Proc. of
 Internet Workshop'99 (IWS'99), IEEE Press, pp. 17-24, 1999
available from
http://imailab-www.iis.u-tokyo.ac.jp/Members/kanta/iws99cr.ps.gz

) if CPU is protected.
Do you have any other reasons (why the most significant resource
 is CPU power rather than state memory) ?

Paul Koning <pkoning@xedia.com> wrote:
>> Anderson> (2) Risk is reduced by minimizing set-up time and
>> Anderson> maximizing non-setup processing (time).
>>
>>No.  Time is not of the essence.  The essential issue is the resources 
>>consumed before good requests can be distinguished from bad ones.  The 
>>most significant resource is CPU power; the secondary one is state
>>memory. 

---- **** ----
 Kanta MATSUURA, Ph.D.
  Lecturer
  3rd Department,
  Institute of Industrial Science, University of Tokyo,
  Roppongi 7-22-1, Minato-ku, Tokyo 106-8558, JAPAN
    Tel: +81-3-3402-6231 (ext. 2325)
    Fax: +81-3-3479-1736
    E-Mail: kanta@iis.u-tokyo.ac.jp

---

References:

• Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: RE: Use of Encryption in Heartbeat Packets
• Next by Date: Re: Bruce Schneier on IPsec
• Prev by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by thread: Racing IKE SAs Revisited
• Index(es):
  • Main
  • Thread